154100x800000000000000026509444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:31:07.261{834264DD-651B-6206-F900-000000002802}6760C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA{834264DD-651B-6206-F700-000000002802}5512C:\Windows\System32\rundll32.exerundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll, #2 ATTACKRANGE\Administrator 154100x800000000000000026509284Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:31:07.202{834264DD-651B-6206-F700-000000002802}5512C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll, #2 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{834264DD-651A-6206-F200-000000002802}6520C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll,#2 & rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2 & rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll, #2" ATTACKRANGE\Administrator 154100x800000000000000026509253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:31:07.194{834264DD-651B-6206-F600-000000002802}6636C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA{834264DD-651B-6206-F500-000000002802}6560C:\Windows\System32\rundll32.exerundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2 ATTACKRANGE\Administrator 154100x800000000000000026509129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:31:07.126{834264DD-651B-6206-F500-000000002802}6560C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{834264DD-651A-6206-F200-000000002802}6520C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll,#2 & rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2 & rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll, #2" ATTACKRANGE\Administrator 154100x800000000000000026509124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:31:07.118{834264DD-651B-6206-F400-000000002802}6600C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA{834264DD-651A-6206-F300-000000002802}6564C:\Windows\System32\rundll32.exerundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll,#2 ATTACKRANGE\Administrator 154100x800000000000000026508978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:31:06.639{834264DD-651A-6206-F300-000000002802}6564C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll,#2 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{834264DD-651A-6206-F200-000000002802}6520C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll,#2 & rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2 & rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll, #2" ATTACKRANGE\Administrator 154100x800000000000000026508968Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:31:06.627{834264DD-651A-6206-F200-000000002802}6520C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll,#2 & rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2 & rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll, #2" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-64D6-6206-DA00-000000002802}796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x800000000000000026505736Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:30:15.255{834264DD-64E7-6206-E400-000000002802}6636C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA{834264DD-64E7-6206-E300-000000002802}5760C:\Windows\System32\rundll32.exerundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2blahblah ATTACKRANGE\Administrator 154100x800000000000000026505608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:30:15.118{834264DD-64E7-6206-E300-000000002802}5760C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2blahblah C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{834264DD-64E7-6206-E200-000000002802}6596C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2blahblah" ATTACKRANGE\Administrator 154100x800000000000000026505598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-02-11 13:30:15.108{834264DD-64E7-6206-E200-000000002802}6596C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "rundll32.exe C:\AtomicRedTeam\atomics\T1218.010\bin\AllTheThingsx64.dll #2blahblah" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-648C-6206-2430-0B0000000000}0xb30242HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-64D6-6206-DA00-000000002802}796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator