13241300x800000000000000025689Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\UsnQWORD (0x00000000-0x04634ba0)NT AUTHORITY\SYSTEM 13241300x800000000000000025688Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\LanguageDWORD (0x00000409)NT AUTHORITY\SYSTEM 13241300x800000000000000025687Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\SizeQWORD (0x00000000-0x000769d0)NT AUTHORITY\SYSTEM 13241300x800000000000000025686Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\AppxPackageRelativeId(Empty)NT AUTHORITY\SYSTEM 13241300x800000000000000025685Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\AppxPackageFullName(Empty)NT AUTHORITY\SYSTEM 13241300x800000000000000025684Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\BinProductVersion10.0.19041.685NT AUTHORITY\SYSTEM 13241300x800000000000000025683Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\LinkDate04/23/2001 14:32:39NT AUTHORITY\SYSTEM 13241300x800000000000000025682Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\ProductVersion10.0.19041.685NT AUTHORITY\SYSTEM 13241300x800000000000000025681Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\ProductNamemicrosoft® windows® operating systemNT AUTHORITY\SYSTEM 13241300x800000000000000025680Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\BinaryTypepe32_i386NT AUTHORITY\SYSTEM 13241300x800000000000000025679Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\BinFileVersion10.0.19041.685NT AUTHORITY\SYSTEM 13241300x800000000000000025678Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\Version10.0.19041.685 (winbuild.160101.0800)NT AUTHORITY\SYSTEM 13241300x800000000000000025677Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\Publishermicrosoft corporationNT AUTHORITY\SYSTEM 13241300x800000000000000025676Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\OriginalFileNamewindbg.exeNT AUTHORITY\SYSTEM 13241300x800000000000000025675Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\Namewindbg.exeNT AUTHORITY\SYSTEM 13241300x800000000000000025674Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\LongPathHashwindbg.exe|620268f24014dc87NT AUTHORITY\SYSTEM 13241300x800000000000000025673Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\LowerCaseLongPathc:\users\administrator\appdata\local\temp\mw-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeNT AUTHORITY\SYSTEM 13241300x800000000000000025672Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\FileId000058dcb1cbbec071d036a07f0e8feb858e4c5b96e7NT AUTHORITY\SYSTEM 13241300x800000000000000025671Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87\ProgramId00063256ba674acb78bb9dd500d6f4cd014b00000904NT AUTHORITY\SYSTEM 12241200x800000000000000025670Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-CreateKey2023-11-08 19:16:36.650{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exe\REGISTRY\A\{4b7e811e-dcb9-5c24-7b63-19748e1d5458}\Root\InventoryApplicationFile\windbg.exe|620268f24014dc87NT AUTHORITY\SYSTEM 13241300x800000000000000025653Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:36.634{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exeHKU\S-1-5-21-1570081662-2631104095-3404167468-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeBinary DataNT AUTHORITY\SYSTEM 534500x800000000000000024916Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:34.375{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeAR-WIN-2\Administrator 734700x800000000000000024910Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:34.375{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValidAR-WIN-2\Administrator 10341000x800000000000000024908Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:34.360{6CA7D817-DE91-654B-7225-000000000A03}37523056C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe{6CA7D817-DE92-654B-7325-000000000A03}1356c:\tmpa\Autoit3.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157d2b(wow64)|C:\Windows\System32\KERNELBASE.dll+1579dc(wow64)|UNKNOWN(0000000006D537A1)|UNKNOWN(0000000006D53AAF)|UNKNOWN(0000000006D5B95F)|UNKNOWN(0000000006D4A865)|C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\dbgeng.dll+a0b37(wow64)|C:\Windows\SYSTEM32\ntdll.dll+6ea4e(wow64)|C:\Windows\SYSTEM32\ntdll.dll+3eeb6(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52fcc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52e6b(wow64)|C:\Windows\SYSTEM32\ntdll.dll+52e82(wow64)AR-WIN-2\AdministratorAR-WIN-2\Administrator 154100x800000000000000024907Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:34.365{6CA7D817-DE92-654B-7325-000000000A03}1356C:\tmpa\Autoit3.exe3, 3, 14, 5AutoIt v3 ScriptAutoIt v3 ScriptAutoIt TeamAutoIt3.exec:\tmpa\Autoit3.exe c:\tmpa\script.au3C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=C56B5F0201A3B3DE53E561FE76912BFD,SHA256=237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe"C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe" AR-WIN-2\Administrator 11241100x800000000000000024905Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:34.328{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\tmpa\script.au32023-11-08 19:16:34.328AR-WIN-2\Administrator 29542900x800000000000000024879Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:34.125{6CA7D817-DE91-654B-7225-000000000A03}3752AR-WIN-2\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\tmpa\Autoit3.exeMD5=C56B5F0201A3B3DE53E561FE76912BFD,SHA256=237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D 11241100x800000000000000024878Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:34.109{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\tmpa\Autoit3.exe2023-11-08 19:16:34.109AR-WIN-2\Administrator 10341000x800000000000000024832Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.843{6CA7D817-C909-654B-CC22-000000000A03}55965872C:\Program Files\Aurora-Agent\aurora-agent.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a08(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C33390)NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 10341000x800000000000000024831Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.843{6CA7D817-C909-654B-CC22-000000000A03}55965872C:\Program Files\Aurora-Agent\aurora-agent.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a08(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C33390)NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 10341000x800000000000000024830Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.843{6CA7D817-C909-654B-CC22-000000000A03}55965872C:\Program Files\Aurora-Agent\aurora-agent.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a08(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C33390)NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 10341000x800000000000000024816Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.816{6CA7D817-C909-654B-CC22-000000000A03}55965872C:\Program Files\Aurora-Agent\aurora-agent.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a08(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C33390)NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 10341000x800000000000000024815Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.815{6CA7D817-C909-654B-CC22-000000000A03}55965872C:\Program Files\Aurora-Agent\aurora-agent.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a08(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C33390)NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 10341000x800000000000000024814Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.815{6CA7D817-C909-654B-CC22-000000000A03}55965872C:\Program Files\Aurora-Agent\aurora-agent.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a08(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C33390)NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 11241100x800000000000000024788Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.724{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\tmpa2023-11-08 19:16:33.724AR-WIN-2\Administrator 734700x800000000000000024762Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.673{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=74261D485681A12AFF1AD517FD0EF200,SHA256=DEC3B7B1EBF3F7F4940FE63D665E2C50F6447C848C35C64B1BDE446E04358480trueMicrosoft WindowsValidAR-WIN-2\Administrator 10341000x800000000000000024751Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.679{6CA7D817-67D3-654A-1600-000000000A03}11882280C:\Windows\system32\svchost.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 734700x800000000000000024746Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.658{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidAR-WIN-2\Administrator 10341000x800000000000000024745Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.679{6CA7D817-67D3-654A-1600-000000000A03}11881232C:\Windows\system32\svchost.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 734700x800000000000000024739Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.678{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024732Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.655{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\dbgeng.dll-----MD5=0E15CF36767154814FB8E6B61C726E19,SHA256=036BA93B0FFB331A11CE1DDABC19FC6FD41824DD053FDCE3C1D3942910480F7Bfalse-UnavailableAR-WIN-2\Administrator 734700x800000000000000024731Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.660{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024730Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.655{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024728Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.655{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.6078 (rs1_release.230626-1747)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=6A6306345B79532502738C9131631CE7,SHA256=57299767A115DE472D13F7C2C82891F4E705A3AE525639EE44BACA480D5D36C1trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024726Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.636{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024701Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.636{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9BtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024700Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.636{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024699Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.634{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024675Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.631{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=529408E2C123D00D4CC2BEBCC8479566,SHA256=B8FE6F8E7B439EE4890F305AA008553CB68F6FEA7268262E6F1C3FD7F6FB90B8trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024674Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.630{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024673Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.599{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe10.0.19041.685 (WinBuild.160101.0800)Windows GUI symbolic debuggerMicrosoft® Windows® Operating SystemMicrosoft Corporationwindbg.exeMD5=04EC4F58A1F4A87B5EEB1F4B7AFC48E0,SHA256=BD1AF3DBA56B129E6C624297EEED40C898FA2981FCE5CAAFE467D88A748988A4trueMicrosoft CorporationValidAR-WIN-2\Administrator 734700x800000000000000024672Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.629{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024671Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.628{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5427 (rs1_release.220929-2054)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=827CF4DF011EA7BAF277BBA7E74F262E,SHA256=9C9BBF48DC43E2C405C04BE00DF600989093BBCD6CC7FD66CE8BEA97EC7D8499trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024670Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.627{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024669Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.627{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.6167 (rs1_release.230802-0927)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=ACBCF08CD95CD19AB15082354034161C,SHA256=2C989F00A7F3AA5DF9F8D86B40D0439BE626717713A2CC421DF1EC31A0841BF8trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024668Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.626{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024667Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.626{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.6167 (rs1_release.230802-0927)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=6F728702141FCDA251ACE4189C8F2445,SHA256=F8D6FA3394999CB8C26F3F1B5DFBD6204B9C866F0DD26AEDFC3ADCDC09B93032trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024666Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.622{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024665Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.622{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\combase.dll10.0.14393.6078 (rs1_release.230626-1747)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6C5E04C128291325C4C73129EE47D388,SHA256=74E310950A9505F2AFAB0A9652CB9C050E7857520DD403112F9C860557879EB1trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024664Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.621{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5921 (rs1_release.230504-1649)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=C1928154051BB483CD0A5AAF8D6E2A9B,SHA256=8A4A5AB2B0710449D2AD928DEB729392C26D00BA67DC403AD639335549F08ABAtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024663Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.619{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.51 (rs1_release_inmarket.160801-1836)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=9D8F7BD41657B515DD46C7BF90A26CDB,SHA256=F73F1D7C426282357007294D5108EB4509EB96C1DF82B86BD2E657D93E7204B5trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024662Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.619{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024661Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.618{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.6167 (rs1_release.230802-0927)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=66C11A5C6C38BCB8A73FAA24A4ABD851,SHA256=6FB8D4D3D496DB232C7F5F1711ACD1208AC2F186AF8D89E331EE4D5E9E9DE04CtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024660Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.617{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024659Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.617{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024658Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.616{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024657Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.616{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5427 (rs1_release.220929-2054)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=B422D6D349B239AA5DA5B66297A085B3,SHA256=3708B080455F4563B863211A4D602AE11CEBDEB94C8846EE580503C4F4A4DFE7trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024655Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.616{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.6167 (rs1_release.230802-0927)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8EA34FC1947521ECA742EDB6527EA2B6,SHA256=3AA3AA8B8DE886F2D7D6F5058ED92ADFB10D812F246E702152E58B45390193F6trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024654Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.614{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.6167 (rs1_release.230802-0927)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=B60C7BBA20B207C405120FDD901DCA57,SHA256=90679B59DA5BD59D916241A1EDC6DAEC3ED8F741009AD86F1DF9A89D403B07D2trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024647Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.613{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024641Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.613{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.6167 (rs1_release.230802-0927)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=386E4C15441439616F601ADE87241B9B,SHA256=27052A29B37DF205493FB7728AC8E285BDD013DECE2E17FB863A5D1212C73AC7trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024627Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.610{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5850 (rs1_release.230329-2152)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=EDD0D333267ABBDA2B9B8449B78F59E7,SHA256=7BEE9248D6DB96E807C3508598F88E2616016CAEB7129A2DE73077BF1E369B36trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024626Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.608{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5786 (rs1_release.230308-2129)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=29EC56B83CEEDE8F0BB7B7F90598A829,SHA256=DA76931E28DD59CCE11D760F8C5DF9CB2975A5C8329713CC52A0F55B10A62128trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024625Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.607{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024623Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.606{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024622Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.606{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\System32\kernel32.dll10.0.14393.5786 (rs1_release.230308-2129)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6106351FEF2322985DB428C333E087B6,SHA256=0C75568B56CBA20B5C8322FB6A721683245DD950F720A252B0BA804E0734B335trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024621Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.606{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5786 (rs1_release.230308-2129)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=29EC56B83CEEDE8F0BB7B7F90598A829,SHA256=DA76931E28DD59CCE11D760F8C5DF9CB2975A5C8329713CC52A0F55B10A62128trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024620Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.605{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\System32\kernel32.dll10.0.14393.5786 (rs1_release.230308-2129)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=6106351FEF2322985DB428C333E087B6,SHA256=0C75568B56CBA20B5C8322FB6A721683245DD950F720A252B0BA804E0734B335trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024619Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.599{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024618Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.599{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024617Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.599{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5980 (rs1_release.230508-1729)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=455393C493BD8D65A796D69B1095DA5C,SHA256=63DE1DD2C11643A6FEB4992E671F9E9E6A1E934BDB41281F53A8AD85D4B75F56trueMicrosoft WindowsValidAR-WIN-2\Administrator 734700x800000000000000024616Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.599{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeC:\Windows\System32\ntdll.dll10.0.14393.5980 (rs1_release.230508-1729)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=86AEB760D9EF98E8AA602A5AC674A1E6,SHA256=A26B7BB6EE89FA07DAAB28D8CA8206BA88BA2419AB01514DF1FC0B8CF0EFB4EDtrueMicrosoft WindowsValidAR-WIN-2\Administrator 10341000x800000000000000024614Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.599{6CA7D817-67D3-654A-1300-000000000A03}10043968C:\Windows\System32\svchost.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 13241300x800000000000000024613Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-SetValue2023-11-08 19:16:33.599{6CA7D817-67D3-654A-1300-000000000A03}1004C:\Windows\System32\svchost.exeHKU\S-1-5-21-1570081662-2631104095-3404167468-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeBinary DataNT AUTHORITY\SYSTEM 10341000x800000000000000024611Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.583{6CA7D817-67D3-654A-1300-000000000A03}10045696C:\Windows\System32\svchost.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b153|C:\Windows\System32\RPCRT4.dll+ca378|C:\Windows\System32\RPCRT4.dll+2094b|C:\Windows\System32\RPCRT4.dll+64baa|C:\Windows\System32\RPCRT4.dll+45744|C:\Windows\System32\RPCRT4.dll+4465d|C:\Windows\System32\RPCRT4.dll+451ae|C:\Windows\System32\RPCRT4.dll+27be7|C:\Windows\System32\RPCRT4.dll+2823c|C:\Windows\System32\RPCRT4.dll+3798c|C:\Windows\System32\RPCRT4.dll+391eb|C:\Windows\System32\RPCRT4.dll+3ee9a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMAR-WIN-2\Administrator 10341000x800000000000000024607Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.583{6CA7D817-C8F5-654B-A622-000000000A03}24443948C:\Windows\system32\csrss.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMAR-WIN-2\Administrator 10341000x800000000000000024606Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.579{6CA7D817-DE8F-654B-6D25-000000000A03}53486340C:\Windows\syswow64\MsiExec.exe{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d855c(wow64)|C:\Windows\System32\windows.storage.dll+122606(wow64)|C:\Windows\System32\windows.storage.dll+122327(wow64)|C:\Windows\System32\windows.storage.dll+121f78(wow64)|C:\Windows\System32\windows.storage.dll+1230d1(wow64)|C:\Windows\System32\windows.storage.dll+121e01(wow64)|C:\Windows\System32\windows.storage.dll+1243fa(wow64)|C:\Windows\System32\windows.storage.dll+1247f7(wow64)|C:\Windows\System32\windows.storage.dll+123e25(wow64)|C:\Windows\System32\SHELL32.dll+171304(wow64)|C:\Windows\System32\SHELL32.dll+1711de(wow64)|C:\Windows\System32\SHELL32.dll+170fd9(wow64)|C:\Windows\System32\SHELL32.dll+1948d9(wow64)AR-WIN-2\AdministratorAR-WIN-2\Administrator 154100x800000000000000024605Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.577{6CA7D817-DE91-654B-7225-000000000A03}3752C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe10.0.19041.685 (WinBuild.160101.0800)Windows GUI symbolic debuggerMicrosoft® Windows® Operating SystemMicrosoft Corporationwindbg.exe"C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exe" C:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\AR-WIN-2\Administrator{6CA7D817-C8F6-654B-7D62-110200000000}0x211627d2HighMD5=04EC4F58A1F4A87B5EEB1F4B7AFC48E0,SHA256=BD1AF3DBA56B129E6C624297EEED40C898FA2981FCE5CAAFE467D88A748988A4{6CA7D817-DE8F-654B-6D25-000000000A03}5348C:\Windows\SysWOW64\msiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F6223A6898B62DCDD086283F6AE20858AR-WIN-2\Administrator 29542900x800000000000000024537Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-11-08 19:16:33.461{6CA7D817-DE91-654B-7025-000000000A03}3760AR-WIN-2\AdministratorC:\Windows\SysWOW64\EXPAND.EXEC:\Users\ADMINI~1\AppData\Local\Temp\MW-180f9688-8ac3-4403-88a4-5a09c8ffa5e1\files\windbg.exeMD5=04EC4F58A1F4A87B5EEB1F4B7AFC48E0,SHA256=BD1AF3DBA56B129E6C624297EEED40C898FA2981FCE5CAAFE467D88A748988A4