4688201331200x8020000000000000371901Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x5d72e0x5a8C:\Windows\System32\conhost.exe%%19360xaa0\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\wevtutil.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000371900Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x5d72e0xaa0C:\Windows\System32\wevtutil.exe%%19360x970wevtutil cl "Windows PowerShell"NULL SID--0x0C:\Windows\System32\wscript.exeMandatory Label\High Mandatory Level 734700x80000000000000007845Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\bcrypt.dll10.0.14393.6078 (rs1_release.230626-1747)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=E1646639F9F581545605E98E4F539346,SHA256=31B0C8AB5A85D4566E7227852E8111EE615EDE842EC17DA8D6127D38556805E5,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007844Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\advapi32.dll10.0.14393.6167 (rs1_release.230802-0927)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=93872F14A5CE7F5FB4A60685A962A941,SHA256=4DAD9B17C90EE442227E8F8C7BAFF70241FA40A19DF7BB3ADF0D876383BD10F2,IMPHASH=952BB451766D014E1FD706A6F953EAF0trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007843Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\sechost.dll10.0.14393.6167 (rs1_release.230802-0927)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=68B7F724518D088533E1ECD2868469EA,SHA256=3EA1762B7BB09A4BE157469452F420ECCE75887186BEB173C5EB7B3C02C99AF2,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007842Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007841Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\combase.dll10.0.14393.6078 (rs1_release.230626-1747)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=F9EDC9CB2A58E142D883CAF72E482EA8,SHA256=2311C7D52C94FB9B629EE099A2ACE83831B2AA929B12198672B4867415C3294B,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007840Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007839Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007838Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\oleaut32.dll10.0.14393.6078 (rs1_release.230626-1747)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=76102A365A7CB74FB16D927F4E049D48,SHA256=3E3F0FE9B7A89470FA4A8D2B49B35A7852DE0B9B642E2EE88D2730B6F89243A7,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007837Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.6167 (rs1_release.230802-0927)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=9CB074F67D34F00CAECD38A2935CF71B,SHA256=1B5C3BCAC11AD27DFEE3A4B8B30132541C9B3E206BDADCAFE3D3C4A6CC281E69,IMPHASH=B1BDD8254CFA1B882C6610639813A789trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007836Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.430{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007815Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.383{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exeMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007802Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.383{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\KernelBase.dll10.0.14393.5850 (rs1_release.230329-2152)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0821162212E6D706CCB76E45AD94370A,SHA256=041AD87687BC67529D09E3115DFA3FD2617FC341E50223AD3F13226F0C087B74,IMPHASH=F7C7E1EE1C2BB52E0AD557AF7ACC62EFtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007801Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.383{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\kernel32.dll10.0.14393.5786 (rs1_release.230308-2129)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6106351FEF2322985DB428C333E087B6,SHA256=0C75568B56CBA20B5C8322FB6A721683245DD950F720A252B0BA804E0734B335,IMPHASH=FB0902ED6F75DCE492C3ACF2E2007772trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x80000000000000007800Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.383{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exeC:\Windows\System32\ntdll.dll10.0.14393.5980 (rs1_release.230508-1729)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=86AEB760D9EF98E8AA602A5AC674A1E6,SHA256=A26B7BB6EE89FA07DAAB28D8CA8206BA88BA2419AB01514DF1FC0B8CF0EFB4ED,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValidAR-WIN-2\Administrator 154100x80000000000000007799Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-06-17 16:00:09.387{8C7CB5F3-5D89-6670-E902-000000000B03}2720C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil cl "Windows PowerShell"C:\Temp\AR-WIN-2\Administrator{8C7CB5F3-4C12-6670-2ED7-050000000000}0x5d72e2HighMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{8C7CB5F3-5D7E-6670-DD02-000000000B03}2416C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\shrink_locker.vbs" AR-WIN-2\Administrator