534500x800000000000000016135Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:54:31.943{6CA7D817-D2C7-654B-5724-000000000A03}3928C:\Users\ADMINI~1\AppData\Local\Temp\2\autoit-v3\install\AutoIt3.exeAR-WIN-2\Administrator 154100x800000000000000015993Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:26:15.769{6CA7D817-D2C7-654B-5724-000000000A03}3928C:\Users\ADMINI~1\AppData\Local\Temp\2\autoit-v3\install\AutoIt3.exe3, 3, 16, 1AutoIt v3 ScriptAutoIt v3 ScriptAutoIt TeamAutoIt3.exe"C:\Users\ADMINI~1\AppData\Local\Temp\2\autoit-v3\install\autoit3.exe" C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3 C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=0ADB9B817F1DF7807576C2D7068DD931,SHA256=98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B,IMPHASH=07F236B4003A1F1174171E18CAD3B475{6CA7D817-D2C6-654B-5124-000000000A03}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015992Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:26:15.559{6CA7D817-D2C7-654B-5624-000000000A03}6236C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-D2C6-654B-5124-000000000A03}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015991Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:26:15.472{6CA7D817-D2C7-654B-5524-000000000A03}5908C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-D2C6-654B-5124-000000000A03}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015988Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:26:15.340{6CA7D817-D2C7-654B-5324-000000000A03}6088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\lamw2v25\lamw2v25.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{6CA7D817-D2C6-654B-5124-000000000A03}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015984Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:26:14.714{6CA7D817-D2C6-654B-5124-000000000A03}6552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}C:\Users\ADMINI~1\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6CA7D817-C983-654B-0923-000000000A03}4556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 534500x800000000000000015940Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:19:03.974{6CA7D817-D115-654B-2424-000000000A03}5668C:\Users\ADMINI~1\AppData\Local\Temp\2\autoit-v3\install\AutoIt3.exeAR-WIN-2\Administrator 154100x800000000000000015938Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:19:01.396{6CA7D817-D115-654B-2424-000000000A03}5668C:\Users\ADMINI~1\AppData\Local\Temp\2\autoit-v3\install\AutoIt3.exe3, 3, 16, 1AutoIt v3 ScriptAutoIt v3 ScriptAutoIt TeamAutoIt3.exe"C:\Users\ADMINI~1\AppData\Local\Temp\2\autoit-v3\install\autoit3.exe" C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3 C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=0ADB9B817F1DF7807576C2D7068DD931,SHA256=98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B,IMPHASH=07F236B4003A1F1174171E18CAD3B475{6CA7D817-D114-654B-1D24-000000000A03}5228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015937Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:19:01.123{6CA7D817-D115-654B-2324-000000000A03}2884C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-D114-654B-1D24-000000000A03}5228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015936Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:19:00.989{6CA7D817-D114-654B-2224-000000000A03}3348C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-D114-654B-1D24-000000000A03}5228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015932Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:19:00.835{6CA7D817-D114-654B-1F24-000000000A03}5092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\dt0yag5l\dt0yag5l.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{6CA7D817-D114-654B-1D24-000000000A03}5228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015928Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:19:00.175{6CA7D817-D114-654B-1D24-000000000A03}5228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$ErrorActionPreference = 'Stop'; $autoitExePath = \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\""; if (-not (Test-Path -Path $autoitExePath)) { iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; } Start-Process -FilePath $autoitExePath -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}C:\Users\ADMINI~1\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6CA7D817-C983-654B-0923-000000000A03}4556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 154100x800000000000000015912Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:16:16.469{6CA7D817-D070-654B-0F24-000000000A03}7016C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-D06F-654B-0A24-000000000A03}1828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015911Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:16:16.375{6CA7D817-D070-654B-0E24-000000000A03}3520C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-D06F-654B-0A24-000000000A03}1828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015908Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:16:16.100{6CA7D817-D070-654B-0C24-000000000A03}6724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\k500sqop\k500sqop.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{6CA7D817-D06F-654B-0A24-000000000A03}1828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015904Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:16:15.477{6CA7D817-D06F-654B-0A24-000000000A03}1828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"").Path;}C:\Users\ADMINI~1\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6CA7D817-C983-654B-0923-000000000A03}4556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 154100x800000000000000015890Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:15:37.470{6CA7D817-D049-654B-FE23-000000000A03}5944C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-D048-654B-F723-000000000A03}4208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"")}AR-WIN-2\Administrator 154100x800000000000000015889Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:15:37.351{6CA7D817-D049-654B-FB23-000000000A03}2408C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-D048-654B-F723-000000000A03}4208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"")}AR-WIN-2\Administrator 154100x800000000000000015886Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:15:37.181{6CA7D817-D049-654B-F923-000000000A03}1448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\tjncrjl0\tjncrjl0.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{6CA7D817-D048-654B-F723-000000000A03}4208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"")}AR-WIN-2\Administrator 154100x800000000000000015882Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:15:36.520{6CA7D817-D048-654B-F723-000000000A03}4208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList C:\AtomicRedTeam\atomics\T1059\src\automsgbox.au3\"")}C:\Users\ADMINI~1\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6CA7D817-C983-654B-0923-000000000A03}4556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 11241100x800000000000000015849Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localEXE2023-11-08 18:13:05.714{6CA7D817-CF8B-654B-D523-000000000A03}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\autoit-v3\install\AutoIt3.exe2023-11-08 18:13:05.714AR-WIN-2\Administrator 154100x800000000000000015824Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:12:28.647{6CA7D817-CF8C-654B-DA23-000000000A03}7008C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-CF8B-654B-D523-000000000A03}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015823Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:12:28.500{6CA7D817-CF8C-654B-D923-000000000A03}6912C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-CF8B-654B-D523-000000000A03}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015820Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:12:28.337{6CA7D817-CF8C-654B-D723-000000000A03}3064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\to5yi55h\to5yi55h.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{6CA7D817-CF8B-654B-D523-000000000A03}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015816Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:12:27.688{6CA7D817-CF8B-654B-D523-000000000A03}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$ErrorActionPreference = 'Stop'; iwr 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip' -OutFile \""$env:TEMP\\autoit-v3.zip\""; Expand-Archive -LiteralPath \""$env:TEMP\\autoit-v3.zip\"" -DestinationPath \""$env:TEMP\\autoit-v3\""; Start-Process -FilePath \""$env:TEMP\\autoit-v3\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\src\automsgbox.au3\"").Path;}C:\Users\ADMINI~1\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6CA7D817-C983-654B-0923-000000000A03}4556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 154100x800000000000000015632Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:08:03.951{6CA7D817-CE83-654B-A623-000000000A03}6984C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-CE83-654B-A023-000000000A03}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $WebClient = New-Object System.Net.WebClient; $Url = 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip'; $TempPath = $env:TEMP; $ZipFile = \""$TempPath\\autoit-v3.zip\""; $WebClient.DownloadFile($Url, $ZipFile); $ExtractPath = \""$TempPath\\autoit-v3\""; Expand-Archive -LiteralPath $ZipFile -DestinationPath $ExtractPath; Start-Process -FilePath \""$ExtractPath\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015631Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:08:03.832{6CA7D817-CE83-654B-A523-000000000A03}5956C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{6CA7D817-CE83-654B-A023-000000000A03}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $WebClient = New-Object System.Net.WebClient; $Url = 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip'; $TempPath = $env:TEMP; $ZipFile = \""$TempPath\\autoit-v3.zip\""; $WebClient.DownloadFile($Url, $ZipFile); $ExtractPath = \""$TempPath\\autoit-v3\""; Expand-Archive -LiteralPath $ZipFile -DestinationPath $ExtractPath; Start-Process -FilePath \""$ExtractPath\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015627Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:08:03.650{6CA7D817-CE83-654B-A223-000000000A03}2760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\45rjfhka\45rjfhka.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{6CA7D817-CE83-654B-A023-000000000A03}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$ErrorActionPreference = 'Stop'; $WebClient = New-Object System.Net.WebClient; $Url = 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip'; $TempPath = $env:TEMP; $ZipFile = \""$TempPath\\autoit-v3.zip\""; $WebClient.DownloadFile($Url, $ZipFile); $ExtractPath = \""$TempPath\\autoit-v3\""; Expand-Archive -LiteralPath $ZipFile -DestinationPath $ExtractPath; Start-Process -FilePath \""$ExtractPath\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\src\automsgbox.au3\"").Path;}AR-WIN-2\Administrator 154100x800000000000000015623Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 18:08:03.251{6CA7D817-CE83-654B-A023-000000000A03}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$ErrorActionPreference = 'Stop'; $WebClient = New-Object System.Net.WebClient; $Url = 'https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3.zip'; $TempPath = $env:TEMP; $ZipFile = \""$TempPath\\autoit-v3.zip\""; $WebClient.DownloadFile($Url, $ZipFile); $ExtractPath = \""$TempPath\\autoit-v3\""; Expand-Archive -LiteralPath $ZipFile -DestinationPath $ExtractPath; Start-Process -FilePath \""$ExtractPath\\install\\autoit3.exe\"" -ArgumentList (Resolve-Path \""C:\AtomicRedTeam\atomics\src\automsgbox.au3\"").Path;}C:\Users\ADMINI~1\AppData\Local\Temp\2\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6CA7D817-C983-654B-0923-000000000A03}4556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 534500x800000000000000014836Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 17:47:06.180{6CA7D817-C999-654B-1223-000000000A03}6884C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exeAR-WIN-2\Administrator 154100x800000000000000014835Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 17:47:05.414{6CA7D817-C999-654B-1223-000000000A03}6884C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe3, 3, 16, 1AutoIt v3 ScriptAutoIt v3 ScriptAutoIt TeamAutoIt3.exe"C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe" helpC:\Users\Administrator\Downloads\autoit-v3\install\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=0ADB9B817F1DF7807576C2D7068DD931,SHA256=98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B,IMPHASH=07F236B4003A1F1174171E18CAD3B475{6CA7D817-C983-654B-0923-000000000A03}4556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 534500x800000000000000014831Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 17:47:01.072{6CA7D817-C993-654B-0C23-000000000A03}6592C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exeAR-WIN-2\Administrator 154100x800000000000000014828Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 17:46:59.375{6CA7D817-C993-654B-0C23-000000000A03}6592C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe3, 3, 16, 1AutoIt v3 ScriptAutoIt v3 ScriptAutoIt TeamAutoIt3.exe"C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe" -hC:\Users\Administrator\Downloads\autoit-v3\install\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=0ADB9B817F1DF7807576C2D7068DD931,SHA256=98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B,IMPHASH=07F236B4003A1F1174171E18CAD3B475{6CA7D817-C983-654B-0923-000000000A03}4556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 534500x800000000000000014827Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 17:46:58.321{6CA7D817-C990-654B-0B23-000000000A03}6424C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exeAR-WIN-2\Administrator 154100x800000000000000014826Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 17:46:56.226{6CA7D817-C990-654B-0B23-000000000A03}6424C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe3, 3, 16, 1AutoIt v3 ScriptAutoIt v3 ScriptAutoIt TeamAutoIt3.exe"C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe"C:\Users\Administrator\Downloads\autoit-v3\install\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=0ADB9B817F1DF7807576C2D7068DD931,SHA256=98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B,IMPHASH=07F236B4003A1F1174171E18CAD3B475{6CA7D817-C983-654B-0923-000000000A03}4556C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" AR-WIN-2\Administrator 13241300x800000000000000014823Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localInvDB-VerSetValue2023-11-08 17:46:38.369{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4eabba1c-23e1-3dde-723b-33bda1d341d3}\Root\InventoryApplicationFile\autoit3.exe|dd51bb0d5f6fc5ac\BinProductVersion3.3.16.1NT AUTHORITY\SYSTEM 13241300x800000000000000014822Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localInvDB-CompileTimeClaimSetValue2023-11-08 17:46:38.369{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4eabba1c-23e1-3dde-723b-33bda1d341d3}\Root\InventoryApplicationFile\autoit3.exe|dd51bb0d5f6fc5ac\LinkDate09/19/2022 18:34:17NT AUTHORITY\SYSTEM 13241300x800000000000000014821Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localInvDB-PubSetValue2023-11-08 17:46:38.369{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4eabba1c-23e1-3dde-723b-33bda1d341d3}\Root\InventoryApplicationFile\autoit3.exe|dd51bb0d5f6fc5ac\Publisherautoit teamNT AUTHORITY\SYSTEM 13241300x800000000000000014820Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localInvDB-PathSetValue2023-11-08 17:46:38.368{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4eabba1c-23e1-3dde-723b-33bda1d341d3}\Root\InventoryApplicationFile\autoit3.exe|dd51bb0d5f6fc5ac\LowerCaseLongPathc:\users\administrator\downloads\autoit-v3\install\autoit3.exeNT AUTHORITY\SYSTEM 13241300x800000000000000014819Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localInvDBSetValue2023-11-08 17:46:38.351{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exeHKU\S-1-5-21-1570081662-2631104095-3404167468-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exeBinary DataNT AUTHORITY\SYSTEM 534500x800000000000000014818Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 17:46:36.349{6CA7D817-C979-654B-0623-000000000A03}3928C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exeAR-WIN-2\Administrator 13241300x800000000000000014817Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localInvDBSetValue2023-11-08 17:46:33.170{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exeHKU\S-1-5-21-1570081662-2631104095-3404167468-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exeBinary DataNT AUTHORITY\SYSTEM 154100x800000000000000014816Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 17:46:33.161{6CA7D817-C979-654B-0623-000000000A03}3928C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe3, 3, 16, 1AutoIt v3 ScriptAutoIt v3 ScriptAutoIt TeamAutoIt3.exe"C:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe" C:\Users\Administrator\Downloads\autoit-v3\install\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=0ADB9B817F1DF7807576C2D7068DD931,SHA256=98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B,IMPHASH=07F236B4003A1F1174171E18CAD3B475{6CA7D817-C8F8-654B-BB22-000000000A03}2608C:\Windows\explorer.exeC:\Windows\Explorer.EXEAR-WIN-2\Administrator 254200x800000000000000011947Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localT10992023-11-08 17:46:22.988{6CA7D817-C96E-654B-0523-000000000A03}2576C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe2022-09-19 18:34:28.0922023-11-08 17:46:22.974AR-WIN-2\Administrator 11241100x800000000000000011946Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.localDownloads2023-11-08 17:46:22.975{6CA7D817-C96E-654B-0523-000000000A03}2576C:\Program Files\7-Zip\7zG.exeC:\Users\Administrator\Downloads\autoit-v3\install\AutoIt3.exe2023-11-08 17:46:22.974AR-WIN-2\Administrator