734700x800000000000000060588508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.880{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x800000000000000060588484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.865{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValid 734700x800000000000000060588450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.865{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 734700x800000000000000060588422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.780{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=74261D485681A12AFF1AD517FD0EF200,SHA256=DEC3B7B1EBF3F7F4940FE63D665E2C50F6447C848C35C64B1BDE446E04358480trueMicrosoft WindowsValid 734700x800000000000000060588394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.780{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 734700x800000000000000060588337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x800000000000000060588326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.912{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValid 734700x800000000000000060588315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValid 10341000x800000000000000060588299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.896{8B6011A9-BE53-6192-F778-05000000F101}83168408C:\Users\Administrator\Downloads\dcrypt.exe{8B6011A9-BE53-6192-F878-05000000F101}6776C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Users\Administrator\Downloads\dcrypt.exe+eab5|C:\Users\Administrator\Downloads\dcrypt.exe+1195c|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000060588298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.896{8B6011A9-BE53-6192-F878-05000000F101}6776C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp51.1052.0.0Setup/Uninstall---"C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp" /SL5="$2D0144,1206527,119296,C:\Users\Administrator\Downloads\dcrypt.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=6A96BEF4679E16A54B4090E74664DCCA,SHA256=CB095356DDCFCBACE96C6252FB73A267ED011C15FF206A7A9302007BAA68A783{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exe"C:\Users\Administrator\Downloads\dcrypt.exe" 734700x800000000000000060588288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Users\Administrator\Downloads\dcrypt.exe DiskCryptor Setup DiskCryptor http://diskcryptor.org/ -MD5=3375FE67827671E121D049F9AABEFC3E,SHA256=02AC3A4F1CFB2723C20F3C7678B62C340C7974B95F8D9320941641D5C6FD2FEEtrueAlexander LomachevskyValid 10341000x800000000000000060588266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.865{8B6011A9-886E-6164-1600-00000000F101}1316340C:\Windows\System32\svchost.exe{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060588265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.865{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000060588262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.796{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp2021-11-15 20:08:51.796 11241100x800000000000000060588261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.796{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp2021-11-15 20:08:51.796 734700x800000000000000060588260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.796{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x800000000000000060588259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.796{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x800000000000000060588258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.796{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x800000000000000060588257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.796{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x800000000000000060588256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.780{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x800000000000000060588255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.780{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=4937BBA430F4AEEC4D0DC03A200348C3,SHA256=CDA95E98B9D37602AD11B97FDBF7BDDD2F79170CA5E140EB9D2A1B04E94E037FtrueMicrosoft WindowsValid 734700x800000000000000060588254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.780{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x800000000000000060588253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.780{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=B745CDE6791890C571B08D4E29D9174E,SHA256=08B93AC421A1DA6CC4F0FE683F10C3B7679A42395854BB54CB63B5DFD5BF58BEtrueMicrosoft WindowsValid 734700x800000000000000060588252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.780{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x800000000000000060588247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F7E6254059E93E3FBD7FE0E3C5615605,SHA256=1AD1D4229C9FF3B4D041E4B4973A83BE2078EECD11E9EC00E4C0B42EAB20E07AtrueMicrosoft WindowsValid 734700x800000000000000060588246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x800000000000000060588245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x800000000000000060588244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 734700x800000000000000060588243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x800000000000000060588242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A1EDD29F959E38F8AE4AF9B5CDD2B534,SHA256=CE5ECDC3BEFA2DC8C826A697EAC6CDAC12753258315701130CDEDB19D24DBC75trueMicrosoft WindowsValid 734700x800000000000000060588241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x800000000000000060588240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=D1F45F71014220112988A7BF64EE83EE,SHA256=60E8C6D420FC4AFF309FE9CB53327D8DC4EC541F627E4461C465561512D1ED5DtrueMicrosoft WindowsValid 734700x800000000000000060588239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x800000000000000060588238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x800000000000000060588237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=990CA13B9FE19A5A611F77B333BC9AAD,SHA256=EC3960CAABA4FC0287601311BDCC14D472A165DA7C43F88665D984CE1A0B7DE4trueMicrosoft WindowsValid 734700x800000000000000060588236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=6FDB4F1612AC70891B9F6E6005AA5DDB,SHA256=6DFEC2EE6E2A7CB4409AB824737A3657E6D66E309AFE83C28E0CE0676687F737trueMicrosoft WindowsValid 734700x800000000000000060588235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.749{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 13241300x800000000000000060588227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:08:51.728{8B6011A9-5C50-6192-B66C-05000000F101}4916C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{76DE8FD9-41E6-4356-9284-19CF73683C25}\AppIdC:\Users\Administrator\Downloads\dcrypt.exe 734700x800000000000000060588224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x800000000000000060588222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000060588219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x800000000000000060588218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000060588217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000060588216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x800000000000000060588215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000060588214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x800000000000000060588213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x800000000000000060588212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4EA36017E45CC2C5D3D2EABEFBE25941,SHA256=6E96551961497DBE66E0329711E4AC670713DF9315B948D7CB5EEAE8C757292FtrueMicrosoft WindowsValid 734700x800000000000000060588211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000060588208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-886D-6164-1300-00000000F101}10405360C:\Windows\System32\svchost.exe{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000060588207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:08:51.728{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\dcrypt.exeBinary Data 10341000x800000000000000060588205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.728{8B6011A9-886D-6164-1300-00000000F101}10408740C:\Windows\System32\svchost.exe{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060588203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.712{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060588202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.712{8B6011A9-5C50-6192-B66C-05000000F101}49161972C:\Windows\explorer.exe{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac|C:\Windows\System32\SHELL32.dll+18cd03|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060588201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:08:51.711{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exe DiskCryptor Setup DiskCryptor http://diskcryptor.org/ -"C:\Users\Administrator\Downloads\dcrypt.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=3375FE67827671E121D049F9AABEFC3E,SHA256=02AC3A4F1CFB2723C20F3C7678B62C340C7974B95F8D9320941641D5C6FD2FEE{8B6011A9-5C50-6192-B66C-05000000F101}4916C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 534500x800000000000000060590263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.126{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exe 734700x800000000000000060590262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.126{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 13241300x800000000000000060590261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.126{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Services\dcrypt\config\sysBuildDWORD (0x00000350) 13241300x800000000000000060590260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.126{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Services\dcrypt\config\HotkeysBinary Data 13241300x800000000000000060590259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.126{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Services\dcrypt\config\FlagsDWORD (0x00000580) 12241200x800000000000000060590258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-15 20:09:59.126{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Services\dcrypt\config 13241300x800000000000000060590257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Control\CrashControl\DumpFiltersBinary Data 13241300x800000000000000060590256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}\UpperFiltersBinary Data 13241300x800000000000000060590255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}\LowerFiltersBinary Data 13241300x800000000000000060590254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Services\dcrypt\Instances\dcrypt\FlagsDWORD (0x00000000) 13241300x800000000000000060590253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Services\dcrypt\Instances\dcrypt\Altitude87150 12241200x800000000000000060590252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Services\dcrypt\Instances\dcrypt 13241300x800000000000000060590251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Services\dcrypt\Instances\DefaultInstancedcrypt 12241200x800000000000000060590250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeHKLM\System\CurrentControlSet\Services\dcrypt\Instances 13241300x800000000000000060590246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.110{8B6011A9-886B-6164-0A00-00000000F101}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\dcrypt\ImagePathsystem32\drivers\dcrypt.sys 734700x800000000000000060590241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 11241100x800000000000000060590240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\drivers\dcrypt.sys2021-11-15 20:09:59.110 734700x800000000000000060590239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.110{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000060590229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.088{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Program Files\dcrypt\dcapi.dll1.2 Beta 3DiskCryptor apiDiskCryptor-dcapi.dllMD5=FABCCEF1190B2F01FD8B88FAA3B9AD8C,SHA256=E9C639132C4FD0A7D6CA8BFB8D1012026D7C81A995F8D95C64617D118842E4E0trueAlexander LomachevskyValid 734700x800000000000000060590214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.108{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000060590213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.107{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000060590212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.107{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000060590211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.107{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000060590210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.106{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000060590209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.106{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000060590208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.105{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000060590207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.105{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000060590206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.105{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000060590205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.104{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000060590204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.088{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000060590203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.088{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000060590202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.088{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000060590188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.088{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Program Files\dcrypt\dcinst.exe1.2 Beta 3DiskCryptor installer supportDiskCryptor-dcinst.exeMD5=C9F3C52212A6053FC985778B84FC6919,SHA256=654614079CF9159B6A9205CCDAE8D5EEFF998B31955578A7FC1EF77469E380D6trueAlexander LomachevskyValid 734700x800000000000000060590180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.088{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 734700x800000000000000060590175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.088{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000060590174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.088{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000060590172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.088{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000060590170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.073{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060590169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.073{8B6011A9-BE53-6192-F878-05000000F101}67766140C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+acd0d|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+af87f|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+d8328|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+f45dc|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+94bb6|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+939cf|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+f9c3e|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+e4bdd|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+e5c0c|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+c96a1|C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp+5ccf1 154100x800000000000000060590168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.085{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exe1.2 Beta 3DiskCryptor installer supportDiskCryptor-dcinst.exe"C:\Program Files\dcrypt\dcinst.exe" -setupC:\Program Files\dcrypt\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=C9F3C52212A6053FC985778B84FC6919,SHA256=654614079CF9159B6A9205CCDAE8D5EEFF998B31955578A7FC1EF77469E380D6{8B6011A9-BE53-6192-F878-05000000F101}6776C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmp" /SL5="$2D0144,1206527,119296,C:\Users\Administrator\Downloads\dcrypt.exe" 10341000x800000000000000060590167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:09:59.073{8B6011A9-886D-6164-1300-00000000F101}10405360C:\Windows\System32\svchost.exe{8B6011A9-BE97-6192-0079-05000000F101}8232C:\Program Files\dcrypt\dcinst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000060590149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:09:59.057{8B6011A9-BE53-6192-F878-05000000F101}6776C:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmpHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DiskCryptor_is1\DisplayIconC:\Program Files\dcrypt\dcrypt.exe 534500x800000000000000060590771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:10:20.891{8B6011A9-BE53-6192-F778-05000000F101}8316C:\Users\Administrator\Downloads\dcrypt.exe 23542300x800000000000000060590766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:10:20.854{8B6011A9-BE53-6192-F778-05000000F101}8316ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dcrypt.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\is-RR4D9.tmp\dcrypt.tmpMD5=6A96BEF4679E16A54B4090E74664DCCA,SHA256=CB095356DDCFCBACE96C6252FB73A267ED011C15FF206A7A9302007BAA68A783truetrue 13241300x800000000000000060592217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\UsnQWORD (0x00000001-0xfe3554f0) 13241300x800000000000000060592216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\LanguageDWORD (0x00000000) 13241300x800000000000000060592215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\SizeQWORD (0x00000000-0x001898c0) 13241300x800000000000000060592214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\AppxPackageRelativeId(Empty) 13241300x800000000000000060592213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\AppxPackageFullName(Empty) 13241300x800000000000000060592212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\BinProductVersion0.0.0.0 13241300x800000000000000060592211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\LinkDate01/15/2016 08:22:50 13241300x800000000000000060592210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\ProductVersion1.2.1 13241300x800000000000000060592209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\ProductNamediskcryptor 13241300x800000000000000060592208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\BinaryTypepe32_i386 13241300x800000000000000060592207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\BinFileVersion0.0.0.0 13241300x800000000000000060592206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\Version 13241300x800000000000000060592205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\Publisherhttp://diskcryptor.org/ 13241300x800000000000000060592204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\OriginalFileName(Empty) 13241300x800000000000000060592203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\Namedcrypt.exe 13241300x800000000000000060592202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\LongPathHashdcrypt.exe|c8156b88a984edd0 13241300x800000000000000060592201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\LowerCaseLongPathc:\users\administrator\downloads\dcrypt.exe 13241300x800000000000000060592200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\FileId0000e5286dbd0a54a110b39eb1e3e7015d82f316132e 13241300x800000000000000060592199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0\ProgramId000659469abd8d657a733dc352995067a8d100000000 12241200x800000000000000060592198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-15 20:10:22.914{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe\REGISTRY\A\{8059fb97-7f80-9bcc-be5f-d91bcf40f47d}\Root\InventoryApplicationFile\dcrypt.exe|c8156b88a984edd0 13241300x800000000000000060592158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:22.899{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\dcrypt.exeBinary Data 13241300x800000000000000060597763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\UsnQWORD (0x00000001-0xfe46a3b0) 13241300x800000000000000060597762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\LanguageDWORD (0x00000009) 13241300x800000000000000060597761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\SizeQWORD (0x00000000-0x00031f90) 13241300x800000000000000060597760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\AppxPackageRelativeId(Empty) 13241300x800000000000000060597759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\AppxPackageFullName(Empty) 13241300x800000000000000060597758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\BinProductVersion1.2.848.118 13241300x800000000000000060597757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\LinkDate04/20/2020 20:09:30 13241300x800000000000000060597756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\ProductVersion1.2 13241300x800000000000000060597755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\ProductNamediskcryptor 13241300x800000000000000060597754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\BinaryTypepe64_amd64 13241300x800000000000000060597753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\BinFileVersion1.2.848.118 13241300x800000000000000060597752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.484{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\Version1.2 beta 3 13241300x800000000000000060597751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\Publisher(Empty) 13241300x800000000000000060597750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\OriginalFileNamedcrypt.sys 13241300x800000000000000060597749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\Namedcrypt.sys 13241300x800000000000000060597748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\LongPathHashdcrypt.sys|924e250fec014a76 13241300x800000000000000060597747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\LowerCaseLongPathc:\program files\dcrypt\dcrypt.sys 13241300x800000000000000060597746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\FileId(Empty) 13241300x800000000000000060597745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76\ProgramId000096b5d73b3dfe78aa5e4df2cf661273760000ffff 12241200x800000000000000060597744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.sys|924e250fec014a76 13241300x800000000000000060597743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\UsnQWORD (0x00000001-0xfe46b2a8) 13241300x800000000000000060597742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\LanguageDWORD (0x00000009) 13241300x800000000000000060597741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\SizeQWORD (0x00000000-0x0004a458) 13241300x800000000000000060597740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\AppxPackageRelativeId(Empty) 13241300x800000000000000060597739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\AppxPackageFullName(Empty) 13241300x800000000000000060597738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\BinProductVersion1.2.848.118 13241300x800000000000000060597737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\LinkDate04/20/2020 20:10:52 13241300x800000000000000060597736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\ProductVersion1.2 13241300x800000000000000060597735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\ProductNamediskcryptor 13241300x800000000000000060597734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\BinaryTypepe64_amd64 13241300x800000000000000060597733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\BinFileVersion1.2.848.118 13241300x800000000000000060597732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\Version1.2 beta 3 13241300x800000000000000060597731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\Publisher(Empty) 13241300x800000000000000060597730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\OriginalFileNamedcrypt.exe 13241300x800000000000000060597729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\Namedcrypt.exe 13241300x800000000000000060597728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\LongPathHashdcrypt.exe|1d01dc962080c690 13241300x800000000000000060597727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\LowerCaseLongPathc:\program files\dcrypt\dcrypt.exe 13241300x800000000000000060597726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\FileId(Empty) 13241300x800000000000000060597725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\ProgramId000096b5d73b3dfe78aa5e4df2cf661273760000ffff 12241200x800000000000000060597724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690 13241300x800000000000000060597723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\UsnQWORD (0x00000001-0xfe469e30) 13241300x800000000000000060597722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\LanguageDWORD (0x00000009) 13241300x800000000000000060597721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\SizeQWORD (0x00000000-0x00017058) 13241300x800000000000000060597720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\AppxPackageRelativeId(Empty) 13241300x800000000000000060597719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\AppxPackageFullName(Empty) 13241300x800000000000000060597718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\BinProductVersion1.2.848.118 13241300x800000000000000060597717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\LinkDate04/20/2020 20:10:56 13241300x800000000000000060597716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\ProductVersion1.2 13241300x800000000000000060597715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\ProductNamediskcryptor 13241300x800000000000000060597714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\BinaryTypepe64_amd64 13241300x800000000000000060597713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\BinFileVersion1.2.848.118 13241300x800000000000000060597712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\Version1.2 beta 3 13241300x800000000000000060597711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\Publisher(Empty) 13241300x800000000000000060597710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\OriginalFileNamedcinst.exe 13241300x800000000000000060597709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\Namedcinst.exe 13241300x800000000000000060597708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\LongPathHashdcinst.exe|d5e6e2653f561f79 13241300x800000000000000060597707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\LowerCaseLongPathc:\program files\dcrypt\dcinst.exe 13241300x800000000000000060597706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\FileId(Empty) 13241300x800000000000000060597705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79\ProgramId000096b5d73b3dfe78aa5e4df2cf661273760000ffff 12241200x800000000000000060597704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-15 20:10:38.468{8B6011A9-BEB6-6192-0B79-05000000F101}5300C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{c542d6e6-4369-75a0-e589-45898c83b470}\Root\InventoryApplicationFile\dcinst.exe|d5e6e2653f561f79 644600x800000000000000060607880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:11:03.420C:\Windows\System32\drivers\dcrypt.sysMD5=804AE87D087F72D53A0B5199D04C9043,SHA256=4437E74A64F52E24C9613499DC89BCF29BE9AA94B45500B190BD531E036E0DE3trueAlexander LomachevskyValid 644600x800000000000000060607879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:11:07.014C:\Windows\System32\drivers\dcrypt.sysMD5=804AE87D087F72D53A0B5199D04C9043,SHA256=4437E74A64F52E24C9613499DC89BCF29BE9AA94B45500B190BD531E036E0DE3trueAlexander LomachevskyValid 10341000x800000000000000060642802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.991{8B6011A9-BF1A-6192-9200-00000000F201}41565028C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.991{8B6011A9-BF1A-6192-9200-00000000F201}41565028C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.991{8B6011A9-BF1A-6192-9200-00000000F201}41565028C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 924900x800000000000000060642799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.975{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 734700x800000000000000060642798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.944{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 924900x800000000000000060642797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.928{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060642796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.928{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060642795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.928{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060642794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.928{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 10341000x800000000000000060642793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.912{8B6011A9-BF1A-6192-9200-00000000F201}41564924C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8022085B8A8)|UNKNOWN(FFFF829B52D0E8FF)|UNKNOWN(FFFF829B52CA5D72)|UNKNOWN(FFFF829B52CA0371)|UNKNOWN(FFFF829B52CA1D3A)|UNKNOWN(FFFF829B52C9FFF6)|UNKNOWN(FFFFF80220573103)|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000060642792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.912{8B6011A9-BF1A-6192-9200-00000000F201}41564924C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8022085B8A8)|UNKNOWN(FFFF829B52D0E8FF)|UNKNOWN(FFFF829B52CA5D72)|UNKNOWN(FFFF829B52CA0371)|UNKNOWN(FFFF829B52CA1D3A)|UNKNOWN(FFFF829B52C9FFF6)|UNKNOWN(FFFFF80220573103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 734700x800000000000000060642791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.834{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\msls31.dll3.10.349.0Microsoft Line Services library fileMicrosoft® Line ServicesMicrosoft CorporationMSLS31.DLLMD5=1B3268228F5D58D543A3CB0C24696CBE,SHA256=A701E9843C81A9E9BA2A3EAE9908B7F690D9B7F95E5A7384F61D60DB046B9315trueMicrosoft WindowsValid 734700x800000000000000060642764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.834{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=ACF31D492FD578C0374EB20CC393BE98,SHA256=D49ECA60A94B30DB87CDCEB36F284D273E080E8689E4B0F99D5BD44FFD117A92trueMicrosoft WindowsValid 734700x800000000000000060642740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.865{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000060642736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.818{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\riched20.dll5.31.23.1231Rich Text Edit Control, v3.1Microsoft RichEdit Control, version 3.1Microsoft Corporationriched20.dllMD5=0E825440832D043069B3C8E5735663F6,SHA256=6CA39AF0D27E33E9CB3422AE04EBEF8D59F7E7E9963D6566FEBBFEA900FF082EtrueMicrosoft WindowsValid 734700x800000000000000060642722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.850{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000060642716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.850{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000060642710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.850{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x800000000000000060642708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.850{8B6011A9-BEE0-6192-1600-00000000F201}13402052C:\Windows\system32\svchost.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.850{8B6011A9-BEE0-6192-1600-00000000F201}13401408C:\Windows\system32\svchost.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000060642706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.850{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000060642705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.850{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000060642702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.834{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 10341000x800000000000000060642701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.834{8B6011A9-BEDE-6192-0B00-00000000F201}704908C:\Windows\system32\lsass.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.834{8B6011A9-BEDE-6192-0B00-00000000F201}704908C:\Windows\system32\lsass.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000060642697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.834{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000060642696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.756{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000060642688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.834{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000060642687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.834{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000060642681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.834{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000060642670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.756{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Program Files\dcrypt\dcapi.dll1.2 Beta 3DiskCryptor apiDiskCryptor-dcapi.dllMD5=FABCCEF1190B2F01FD8B88FAA3B9AD8C,SHA256=E9C639132C4FD0A7D6CA8BFB8D1012026D7C81A995F8D95C64617D118842E4E0trueAlexander LomachevskyValid 734700x800000000000000060642645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000060642601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000060642596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-15 20:12:21.787{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 734700x800000000000000060642595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.771{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000060642593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.756{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000060642592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000060642568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000060642567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000060642565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000060642564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000060642563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Program Files\dcrypt\dcrypt.exe1.2 Beta 3DiskCryptor GUIDiskCryptor-dcrypt.exeMD5=30FA9DE8BFD8CE4FBEE346E044D1F9FF,SHA256=23D10404F91689437DF37A4DFE584F7C387696B05A06A3CE01ECFCD84ECA2D2CtrueAlexander LomachevskyValid 734700x800000000000000060642562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000060642548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000060642537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000060642536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=0DB1A588A248E852AD781AE14333A5C6,SHA256=6F9C36C2663B90439A1AEE74855C521FCBBDB8C7B88382C9464906F1691F65F6trueMicrosoft WindowsValid 734700x800000000000000060642535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000060642534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000060642510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000060642508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000060642507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.740{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000060642505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000060642504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000060642503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000060642502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000060642501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2BtrueMicrosoft WindowsValid 734700x800000000000000060642500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000060642499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 734700x800000000000000060642498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000060642497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x800000000000000060642487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}4245764C:\Windows\System32\svchost.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000060642477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\UsnQWORD (0x00000001-0xfe46b2a8) 13241300x800000000000000060642475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\LanguageDWORD (0x00000009) 13241300x800000000000000060642474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\SizeQWORD (0x00000000-0x0004a458) 13241300x800000000000000060642472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\AppxPackageRelativeId(Empty) 13241300x800000000000000060642471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\AppxPackageFullName(Empty) 13241300x800000000000000060642470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\BinProductVersion1.2.848.118 13241300x800000000000000060642469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\LinkDate04/20/2020 20:10:52 13241300x800000000000000060642468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\ProductVersion1.2 13241300x800000000000000060642465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\ProductNamediskcryptor 13241300x800000000000000060642464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\BinaryTypepe64_amd64 13241300x800000000000000060642463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\BinFileVersion1.2.848.118 13241300x800000000000000060642462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\Version1.2 beta 3 13241300x800000000000000060642461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\Publisher(Empty) 13241300x800000000000000060642460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\OriginalFileNamedcrypt.exe 13241300x800000000000000060642459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\Namedcrypt.exe 13241300x800000000000000060642458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\LongPathHashdcrypt.exe|1d01dc962080c690 13241300x800000000000000060642457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\LowerCaseLongPathc:\program files\dcrypt\dcrypt.exe 13241300x800000000000000060642456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\FileId00001b32a8bfd336344f3318bfda9b8e13b98301f00e 13241300x800000000000000060642454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690\ProgramId000096b5d73b3dfe78aa5e4df2cf661273760000ffff 12241200x800000000000000060642453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-15 20:12:21.724{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exe\REGISTRY\A\{79ec7d7b-0da4-a25c-4761-73e18ed9e4bf}\Root\InventoryApplicationFile\dcrypt.exe|1d01dc962080c690 13241300x800000000000000060642376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:12:21.646{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\dcrypt\dcrypt.exeBinary Data 10341000x800000000000000060642373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.646{8B6011A9-BEE0-6192-1000-00000000F201}4241100C:\Windows\System32\svchost.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.614{8B6011A9-BF17-6192-7B00-00000000F201}27884116C:\Windows\system32\csrss.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060642340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.614{8B6011A9-BF1A-6192-9200-00000000F201}41565752C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\windows.storage.dll+15922|C:\Windows\System32\windows.storage.dll+15619|C:\Windows\System32\windows.storage.dll+154ef|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+18cfac 154100x800000000000000060642339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.607{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe1.2 Beta 3DiskCryptor GUIDiskCryptor-dcrypt.exe"C:\Program Files\dcrypt\dcrypt.exe" C:\Program Files\dcrypt\ATTACKRANGE\Administrator{8B6011A9-BF19-6192-DE3E-080000000000}0x83ede2HighMD5=30FA9DE8BFD8CE4FBEE346E044D1F9FF,SHA256=23D10404F91689437DF37A4DFE584F7C387696B05A06A3CE01ECFCD84ECA2D2C{8B6011A9-BF1A-6192-9200-00000000F201}4156C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 924900x800000000000000060642814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:22.022{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 10341000x800000000000000060642813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:22.022{8B6011A9-BF1A-6192-9200-00000000F201}41565012C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:22.022{8B6011A9-BF1A-6192-9200-00000000F201}41565012C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:22.022{8B6011A9-BF1A-6192-9200-00000000F201}41564220C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+11d74|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:22.022{8B6011A9-BF1A-6192-9200-00000000F201}41564220C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+11d74|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:22.022{8B6011A9-BF1A-6192-9200-00000000F201}41564220C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:22.022{8B6011A9-BF1A-6192-9200-00000000F201}41564220C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:22.022{8B6011A9-BF1A-6192-9200-00000000F201}41564220C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.991{8B6011A9-BF19-6192-8700-00000000F201}47764952C:\Windows\system32\taskhostw.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060642803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:21.991{8B6011A9-BF19-6192-8700-00000000F201}47764952C:\Windows\system32\taskhostw.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 924900x800000000000000060642858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:23.951{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060642857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:23.935{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060642856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:23.041{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060642860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:24.045{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060642859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:24.045{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060643217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:25.049{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060643216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:25.049{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060643927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:26.068{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060643926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:26.068{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060644654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:27.087{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060644653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:27.087{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060646864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.343{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.343{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.343{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060646846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.343{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060646845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.343{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.343{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.327{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.327{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.327{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.327{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.327{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.327{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060646835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.296{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.296{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.296{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.285{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060646831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.285{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\Harddisk0\DR0 924900x800000000000000060646830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.285{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060646829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.285{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060646828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.285{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060646827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.264{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 10341000x800000000000000060646676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.139{8B6011A9-BF1A-6192-9200-00000000F201}41565012C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060646675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.139{8B6011A9-BF1A-6192-9200-00000000F201}41565012C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060646636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.139{8B6011A9-BF1A-6192-9200-00000000F201}41565028C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060646634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.139{8B6011A9-BF1A-6192-9200-00000000F201}41565028C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060646631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.139{8B6011A9-BF1A-6192-9200-00000000F201}41565028C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 924900x800000000000000060646597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.108{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060646596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:28.108{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060648318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:29.114{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060648317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:29.114{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060650372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:30.123{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060650368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:30.123{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060651165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:31.126{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060651164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:31.126{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060651338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:32.129{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060651337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:32.129{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060651408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:33.133{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 924900x800000000000000060651407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:33.133{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe\Device\HarddiskVolume1 10341000x800000000000000060652519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:38.267{8B6011A9-BF1A-6192-9200-00000000F201}41565028C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060652518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:38.267{8B6011A9-BF1A-6192-9200-00000000F201}41565028C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060652517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:38.267{8B6011A9-BF1A-6192-9200-00000000F201}41565028C:\Windows\Explorer.EXE{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:43.783{8B6011A9-BF31-6192-A800-00000000F201}55925596C:\Windows\System32\svchost.exe{8B6011A9-BF3B-6192-B400-00000000F201}5792C:\Program Files\dcrypt\dcrypt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\SYSTEM32\ntdll.dll+58dbb|C:\Windows\System32\KERNELBASE.dll+b780d|c:\windows\system32\wersvc.dll+13597|c:\windows\system32\wersvc.dll+f4e6|c:\windows\system32\wersvc.dll+8580|c:\windows\system32\wersvc.dll+5c4a|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:43.752{8B6011A9-BF31-6192-A800-00000000F201}55925596C:\Windows\System32\svchost.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x14d0C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+13570|c:\windows\system32\wersvc.dll+f4e6|c:\windows\system32\wersvc.dll+8580|c:\windows\system32\wersvc.dll+5c4a|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:43.736{8B6011A9-BF31-6192-A800-00000000F201}55925596C:\Windows\System32\svchost.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x103611C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+126d4|c:\windows\system32\wersvc.dll+f4e6|c:\windows\system32\wersvc.dll+8580|c:\windows\system32\wersvc.dll+5c4a|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:43.736{8B6011A9-BF31-6192-A800-00000000F201}55925596C:\Windows\System32\svchost.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\wersvc.dll+f254|c:\windows\system32\wersvc.dll+8580|c:\windows\system32\wersvc.dll+5c4a|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:44.457{8B6011A9-BF3B-6192-B300-00000000F201}26645780C:\Windows\system32\werfault.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\system32\wer.dll+37d6c|C:\Windows\system32\wer.dll+382c4|C:\Windows\system32\wer.dll+38c5a|C:\Windows\system32\wer.dll+13c54|C:\Windows\system32\wer.dll+6476|C:\Windows\SYSTEM32\werui.dll+eb12|C:\Windows\SYSTEM32\werui.dll+275a|C:\Windows\system32\werfault.exe+1495|C:\Windows\system32\werfault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:44.457{8B6011A9-BF3B-6192-B300-00000000F201}26645780C:\Windows\system32\werfault.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\werui.dll+11390|C:\Windows\SYSTEM32\werui.dll+1105b|C:\Windows\SYSTEM32\werui.dll+aa25|C:\Windows\SYSTEM32\werui.dll+e9d3|C:\Windows\SYSTEM32\werui.dll+275a|C:\Windows\system32\werfault.exe+1495|C:\Windows\system32\werfault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:44.457{8B6011A9-BF3B-6192-B300-00000000F201}26642464C:\Windows\system32\werfault.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1450C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wer.dll+29c3|C:\Windows\system32\wer.dll+311c|C:\Windows\system32\wer.dll+4440|C:\Windows\system32\wer.dll+48dd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:44.206{8B6011A9-BF3B-6192-B300-00000000F201}26645780C:\Windows\system32\werfault.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x101c7bC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\werui.dll+e1f6|C:\Windows\SYSTEM32\werui.dll+261b|C:\Windows\system32\werfault.exe+1495|C:\Windows\system32\werfault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:44.206{8B6011A9-BF3B-6192-B300-00000000F201}26645780C:\Windows\system32\werfault.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\werui.dll+1a8f|C:\Windows\SYSTEM32\werui.dll+24f2|C:\Windows\system32\werfault.exe+1495|C:\Windows\system32\werfault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:44.206{8B6011A9-BF3B-6192-B300-00000000F201}26645780C:\Windows\system32\werfault.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\SYSTEM32\werui.dll+6491|C:\Windows\SYSTEM32\werui.dll+62a7|C:\Windows\SYSTEM32\werui.dll+240b|C:\Windows\system32\werfault.exe+1495|C:\Windows\system32\werfault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060653593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:12:44.159{8B6011A9-BF3B-6192-B300-00000000F201}26645780C:\Windows\system32\werfault.exe{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe0x101450C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\werui.dll+6045|C:\Windows\SYSTEM32\werui.dll+240b|C:\Windows\system32\werfault.exe+1495|C:\Windows\system32\werfault.exe+241ad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x800000000000000060655555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-15 20:13:13.363{8B6011A9-BF25-6192-9C00-00000000F201}5756C:\Program Files\dcrypt\dcrypt.exe 13241300x800000000000000060656001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-15 20:13:15.367{8B6011A9-BEE0-6192-1000-00000000F201}424C:\Windows\System32\svchost.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\dcrypt\dcrypt.exeBinary Data