11241100x800000000000000058450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 19:25:46.655{92CAAE11-5079-6243-D905-000000004102}4648C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\FeelTheBurn.iso.lnk2022-03-29 19:25:46.655 154100x800000000000000056831Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 19:22:27.765{92CAAE11-5C73-6243-BE07-000000004102}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$keep = Mount-DiskImage -ImagePath \""C:\AtomicRedTeam\atomics\T1553.005\bin\FeelTheBurn.iso\"" -StorageType ISO -Access ReadOnly $driveLetter = ($keep | Get-Volume).DriveLetter invoke-item \""$($driveLetter):\hello.exe\""}C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{92CAAE11-5077-6243-DC1E-580000000000}0x581edc2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{92CAAE11-5091-6243-F705-000000004102}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x800000000000000056727Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 19:22:26.849{92CAAE11-5C72-6243-BA07-000000004102}5540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {Mount-DiskImage -ImagePath \""C:\AtomicRedTeam\atomics\T1553.005\bin\T1553.005.iso\""}C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{92CAAE11-5077-6243-DC1E-580000000000}0x581edc2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{92CAAE11-5091-6243-F705-000000004102}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x800000000000000056412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 19:22:05.679{92CAAE11-5C5D-6243-B007-000000004102}2384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1553.005\bin\FeelTheBurn.iso) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{92CAAE11-5077-6243-DC1E-580000000000}0x581edc2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{92CAAE11-5091-6243-F705-000000004102}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x800000000000000056366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 19:22:04.870{92CAAE11-5C5C-6243-AF07-000000004102}5312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1553.005\bin\T1553.005.iso) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{92CAAE11-5077-6243-DC1E-580000000000}0x581edc2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{92CAAE11-5091-6243-F705-000000004102}6980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000043137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 18:45:39.181{92CAAE11-50B0-6243-0206-000000004102}7000ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\Desktop\iso\FeelTheBurn.isoMD5=7A77153B5CAAF17C971EF12C2EF6AD6E,SHA256=C418A81720FC9682D197A399B82335D41CCFDFC707C2CF90F771C1C2FA4128B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041857Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 18:43:14.505{92CAAE11-50B0-6243-0206-000000004102}7000ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\Desktop\iso\FeelTheBurn.isoMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040696Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 18:41:06.059{92CAAE11-50B0-6243-0206-000000004102}7000ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\Desktop\iso\FeelTheBurn.isoMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039552Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 18:39:17.496{92CAAE11-50B0-6243-0206-000000004102}7000ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\Desktop\iso\FeelTheBurn.isoMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039551Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 18:39:17.496{92CAAE11-50B0-6243-0206-000000004102}7000ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\Desktop\iso\FeelTheBurn.iso:Zone.IdentifierMD5=E171133FD447E86061D4609D23F3A8A5,SHA256=05FEE91BA07E8C3D23160F7271711B8DBC86BD1C4E663C7ABD2A19F0DCDA50ED,IMPHASH=00000000000000000000000000000000falsefalse - rename failed with status 0xc000000d 23542300x800000000000000039307Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-702.attackrange.local-2022-03-29 18:38:40.427{92CAAE11-50B0-6243-0206-000000004102}7000ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\Desktop\iso\FeelTheBurn.iso:Zone.IdentifierMD5=E171133FD447E86061D4609D23F3A8A5,SHA256=05FEE91BA07E8C3D23160F7271711B8DBC86BD1C4E663C7ABD2A19F0DCDA50ED,IMPHASH=00000000000000000000000000000000falsefalse - rename failed with status 0xc000000d