10341000x80000000000000002292746Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:13:46.954{9DBE88B5-C32E-61A8-0D00-000000000E02}9084808C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002288799Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:48.547{9DBE88B5-6214-61B2-190B-010000000E02}5084C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /FC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002288711Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.022{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288710Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.021{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288709Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.021{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288708Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.020{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288707Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.019{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288706Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.019{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002288705Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:45.019{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002288662Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 20:07:41.564{9DBE88B5-620D-61B2-180B-010000000E02}6188C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /FC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002258864Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:52.026{9DBE88B5-587A-61B2-D309-010000000E02}3196ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmpMD5=24A5DED9B4C83D1105BA1DA54B769959,SHA256=62299AC455D50DCA677B78D21FCA50EE9796E9996C14E3C7211828978A89281E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002258861Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.678{9DBE88B5-587A-61B2-EB09-010000000E02}75041292C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258858Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.664{9DBE88B5-587A-61B2-EC09-010000000E02}73325024C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-EB09-010000000E02}7504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258852Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.653{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-EB09-010000000E02}7504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258851Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.653{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-EB09-010000000E02}7504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258850Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.653{9DBE88B5-587A-61B2-EB09-010000000E02}7504C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258847Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.638{9DBE88B5-587A-61B2-EA09-010000000E02}33367568C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E909-010000000E02}5824C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258840Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.626{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E909-010000000E02}5824C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258839Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.626{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E909-010000000E02}5824C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258838Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.626{9DBE88B5-587A-61B2-E909-010000000E02}5824C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258835Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.610{9DBE88B5-587A-61B2-E809-010000000E02}80201172C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E709-010000000E02}2392C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258829Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.599{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E709-010000000E02}2392C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258828Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.599{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E709-010000000E02}2392C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258827Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.599{9DBE88B5-587A-61B2-E709-010000000E02}2392C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258822Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.584{9DBE88B5-587A-61B2-E609-010000000E02}51326212C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E509-010000000E02}7912C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258816Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.573{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E509-010000000E02}7912C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258815Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.573{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E509-010000000E02}7912C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258814Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.572{9DBE88B5-587A-61B2-E509-010000000E02}7912C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258811Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.556{9DBE88B5-587A-61B2-E409-010000000E02}75447988C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E309-010000000E02}6580C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258805Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.545{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E309-010000000E02}6580C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258804Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.545{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E309-010000000E02}6580C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258803Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.545{9DBE88B5-587A-61B2-E309-010000000E02}6580C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258800Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.530{9DBE88B5-587A-61B2-E209-010000000E02}81447748C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-E109-010000000E02}8176C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258794Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.519{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-E109-010000000E02}8176C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258793Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.519{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-E109-010000000E02}8176C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258792Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.519{9DBE88B5-587A-61B2-E109-010000000E02}8176C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258789Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.504{9DBE88B5-587A-61B2-E009-010000000E02}3564144C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-DF09-010000000E02}7924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258782Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.492{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-DF09-010000000E02}7924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258781Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.492{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-DF09-010000000E02}7924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258780Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.492{9DBE88B5-587A-61B2-DF09-010000000E02}7924C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258777Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.478{9DBE88B5-587A-61B2-DE09-010000000E02}41607948C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-DD09-010000000E02}7864C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258771Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.466{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-DD09-010000000E02}7864C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258770Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.466{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-DD09-010000000E02}7864C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258769Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.466{9DBE88B5-587A-61B2-DD09-010000000E02}7864C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258766Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.449{9DBE88B5-587A-61B2-DC09-010000000E02}46008120C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-DB09-010000000E02}904C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258760Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.438{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-DB09-010000000E02}904C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258759Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.438{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-DB09-010000000E02}904C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258758Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.438{9DBE88B5-587A-61B2-DB09-010000000E02}904C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258755Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.423{9DBE88B5-587A-61B2-DA09-010000000E02}79286560C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-D909-010000000E02}4980C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258749Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.412{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-D909-010000000E02}4980C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258748Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.412{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D909-010000000E02}4980C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258747Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.412{9DBE88B5-587A-61B2-D909-010000000E02}4980C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258744Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.396{9DBE88B5-587A-61B2-D809-010000000E02}66003204C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-D709-010000000E02}6536C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258738Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.384{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-D709-010000000E02}6536C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258737Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.384{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D709-010000000E02}6536C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258736Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.385{9DBE88B5-587A-61B2-D709-010000000E02}6536C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258733Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.369{9DBE88B5-587A-61B2-D609-010000000E02}53081924C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-D509-010000000E02}7052C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258725Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.356{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-D509-010000000E02}7052C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258724Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.356{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D509-010000000E02}7052C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258723Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.356{9DBE88B5-587A-61B2-D509-010000000E02}7052C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Start Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258721Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.352{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258706Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.344{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258638Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.302{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258636Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.297{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258621Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.289{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258553Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.247{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258552Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.246{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258550Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.241{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258535Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.232{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258468Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.189{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258467Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.187{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D409-010000000E02}5476C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002258466Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.185{9DBE88B5-587A-61B2-D309-010000000E02}3196ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac4B5D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002258465Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.179{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D409-010000000E02}5476C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258459Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.178{9DBE88B5-587A-61B2-D309-010000000E02}31966376C:\Program Files\Raccine\Raccine.exe{9DBE88B5-587A-61B2-D409-010000000E02}5476C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258458Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.178{9DBE88B5-587A-61B2-D409-010000000E02}5476C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" Start WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start Wsearch 10341000x80000000000000002258457Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.170{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258452Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.168{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258451Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.168{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002258450Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.167{9DBE88B5-587A-61B2-D309-010000000E02}3196C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Start WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002258439Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:50.141{9DBE88B5-5878-61B2-B809-010000000E02}6160ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmpMD5=81F9601E3C5B8DB1A73307642B20A3EA,SHA256=6B7B5FA27F691C9C3E00685A9A6A2CEBEF55FB586E5C73427B288F14E873D9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002258422Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.790{9DBE88B5-5878-61B2-D009-010000000E02}60606448C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258419Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.777{9DBE88B5-5878-61B2-D109-010000000E02}79002128C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-D009-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258412Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.765{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-D009-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258411Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.765{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-D009-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258410Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.765{9DBE88B5-5878-61B2-D009-010000000E02}6060C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258407Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.749{9DBE88B5-5878-61B2-CF09-010000000E02}66047840C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-CE09-010000000E02}4512C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258401Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.738{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-CE09-010000000E02}4512C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258400Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.737{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-CE09-010000000E02}4512C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258399Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.737{9DBE88B5-5878-61B2-CE09-010000000E02}4512C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258396Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.722{9DBE88B5-5878-61B2-CD09-010000000E02}56005300C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-CC09-010000000E02}4976C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258390Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.711{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-CC09-010000000E02}4976C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258389Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.711{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-CC09-010000000E02}4976C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258388Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.711{9DBE88B5-5878-61B2-CC09-010000000E02}4976C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258385Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.696{9DBE88B5-5878-61B2-CB09-010000000E02}80007448C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-CA09-010000000E02}4504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258379Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.684{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-CA09-010000000E02}4504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258378Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.683{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-CA09-010000000E02}4504C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258377Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.684{9DBE88B5-5878-61B2-CA09-010000000E02}4504C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258374Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.668{9DBE88B5-5878-61B2-C909-010000000E02}75405592C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C809-010000000E02}6680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258368Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.657{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C809-010000000E02}6680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258367Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.657{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C809-010000000E02}6680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258366Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.657{9DBE88B5-5878-61B2-C809-010000000E02}6680C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258363Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.642{9DBE88B5-5878-61B2-C709-010000000E02}80445084C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C609-010000000E02}1640C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258356Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.630{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C609-010000000E02}1640C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258355Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.630{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C609-010000000E02}1640C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258354Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.630{9DBE88B5-5878-61B2-C609-010000000E02}1640C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258351Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.615{9DBE88B5-5878-61B2-C509-010000000E02}69047568C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C409-010000000E02}8028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258345Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.604{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C409-010000000E02}8028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258344Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.603{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C409-010000000E02}8028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258343Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.603{9DBE88B5-5878-61B2-C409-010000000E02}8028C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258319Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.588{9DBE88B5-5878-61B2-C309-010000000E02}36841172C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C209-010000000E02}5732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258313Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.576{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C209-010000000E02}5732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258312Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.576{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C209-010000000E02}5732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258311Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.576{9DBE88B5-5878-61B2-C209-010000000E02}5732C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258308Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.560{9DBE88B5-5878-61B2-C109-010000000E02}62127720C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-C009-010000000E02}5132C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258302Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.549{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-C009-010000000E02}5132C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258301Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.548{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-C009-010000000E02}5132C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258300Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.548{9DBE88B5-5878-61B2-C009-010000000E02}5132C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258297Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.534{9DBE88B5-5878-61B2-BF09-010000000E02}31721972C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-BE09-010000000E02}7028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258291Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.522{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-BE09-010000000E02}7028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258290Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.522{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-BE09-010000000E02}7028C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258289Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.522{9DBE88B5-5878-61B2-BE09-010000000E02}7028C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258286Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.507{9DBE88B5-5878-61B2-BD09-010000000E02}81286624C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-BC09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258279Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.496{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-BC09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258278Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.495{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-BC09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258277Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.495{9DBE88B5-5878-61B2-BC09-010000000E02}4748C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258274Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.479{9DBE88B5-5878-61B2-BB09-010000000E02}81567496C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-BA09-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258267Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.465{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-BA09-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002258266Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.465{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-BA09-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258265Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.465{9DBE88B5-5878-61B2-BA09-010000000E02}208C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258263Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.462{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258248Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.454{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258181Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.411{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258179Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.405{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258163Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.397{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258097Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.355{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258096Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.355{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258094Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.349{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258079Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.341{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002258013Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.298{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258012Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.297{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-B909-010000000E02}1516C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002258011Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.294{9DBE88B5-5878-61B2-B809-010000000E02}6160ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac43FA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002258010Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.288{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-B909-010000000E02}1516C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002258004Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.287{9DBE88B5-5878-61B2-B809-010000000E02}61607360C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5878-61B2-B909-010000000E02}1516C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002258003Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.288{9DBE88B5-5878-61B2-B909-010000000E02}1516C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" Stop WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002258002Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.279{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257997Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.277{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257996Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.276{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002257995Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:48.277{9DBE88B5-5878-61B2-B809-010000000E02}6160C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002257929Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:45.748{9DBE88B5-5873-61B2-9C09-010000000E02}700ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmpMD5=81F9601E3C5B8DB1A73307642B20A3EA,SHA256=6B7B5FA27F691C9C3E00685A9A6A2CEBEF55FB586E5C73427B288F14E873D9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002257890Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.341{9DBE88B5-5874-61B2-B509-010000000E02}81886376C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257887Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.327{9DBE88B5-5874-61B2-B609-010000000E02}27205768C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-B509-010000000E02}8188C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257881Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.314{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-B509-010000000E02}8188C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257880Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.314{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-B509-010000000E02}8188C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257879Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.315{9DBE88B5-5874-61B2-B509-010000000E02}8188C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257876Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.298{9DBE88B5-5874-61B2-B409-010000000E02}61487684C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-B309-010000000E02}8108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257870Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.286{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-B309-010000000E02}8108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257869Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.286{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-B309-010000000E02}8108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257868Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.287{9DBE88B5-5874-61B2-B309-010000000E02}8108C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257865Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.270{9DBE88B5-5874-61B2-B209-010000000E02}64486060C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-B109-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257859Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.258{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-B109-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257858Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.258{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-B109-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257857Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.259{9DBE88B5-5874-61B2-B109-010000000E02}7840C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257854Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.243{9DBE88B5-5874-61B2-B009-010000000E02}62644512C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-AF09-010000000E02}5300C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257848Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.231{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-AF09-010000000E02}5300C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257847Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.231{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-AF09-010000000E02}5300C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257846Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.231{9DBE88B5-5874-61B2-AF09-010000000E02}5300C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257843Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.216{9DBE88B5-5874-61B2-AE09-010000000E02}73844976C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-AD09-010000000E02}5484C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257837Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.204{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-AD09-010000000E02}5484C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257836Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.204{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-AD09-010000000E02}5484C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257835Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.205{9DBE88B5-5874-61B2-AD09-010000000E02}5484C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257831Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.188{9DBE88B5-5874-61B2-AC09-010000000E02}80004732C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-AB09-010000000E02}3096C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257825Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.175{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-AB09-010000000E02}3096C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257824Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.175{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-AB09-010000000E02}3096C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257823Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.176{9DBE88B5-5874-61B2-AB09-010000000E02}3096C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257820Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.160{9DBE88B5-5874-61B2-AA09-010000000E02}74806680C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A909-010000000E02}5084C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257814Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.148{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A909-010000000E02}5084C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257813Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.148{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A909-010000000E02}5084C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257812Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.149{9DBE88B5-5874-61B2-A909-010000000E02}5084C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257809Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.134{9DBE88B5-5874-61B2-A809-010000000E02}81521640C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A709-010000000E02}7568C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257802Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.121{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A709-010000000E02}7568C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257801Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.120{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A709-010000000E02}7568C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257800Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.121{9DBE88B5-5874-61B2-A709-010000000E02}7568C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257796Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.102{9DBE88B5-5874-61B2-A609-010000000E02}80281108C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A509-010000000E02}7732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257790Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.090{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A509-010000000E02}7732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257789Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.090{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A509-010000000E02}7732C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257788Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.090{9DBE88B5-5874-61B2-A509-010000000E02}7732C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257785Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.074{9DBE88B5-5874-61B2-A409-010000000E02}57323824C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A309-010000000E02}7692C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257779Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.063{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A309-010000000E02}7692C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257778Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.062{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A309-010000000E02}7692C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257777Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.063{9DBE88B5-5874-61B2-A309-010000000E02}7692C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257774Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.047{9DBE88B5-5874-61B2-A209-010000000E02}51326580C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-A109-010000000E02}5368C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257768Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.036{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-A109-010000000E02}5368C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257767Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.036{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-A109-010000000E02}5368C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257766Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.036{9DBE88B5-5874-61B2-A109-010000000E02}5368C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257763Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.018{9DBE88B5-5874-61B2-A009-010000000E02}70288144C:\Windows\system32\conhost.exe{9DBE88B5-5874-61B2-9F09-010000000E02}2040C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257757Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.005{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5874-61B2-9F09-010000000E02}2040C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257756Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.005{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5874-61B2-9F09-010000000E02}2040C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257755Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.005{9DBE88B5-5874-61B2-9F09-010000000E02}2040C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' Stop Wsearch" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257753Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:44.001{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257736Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.993{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257669Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.950{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257667Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.945{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257650Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.936{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257584Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.896{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257583Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.896{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257581Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.890{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257564Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.882{9DBE88B5-5873-61B2-9E09-010000000E02}70004340C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002257489Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.775{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257488Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.773{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5873-61B2-9D09-010000000E02}4288C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002257487Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.771{9DBE88B5-5873-61B2-9C09-010000000E02}700ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac3257.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002257484Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.764{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5873-61B2-9D09-010000000E02}4288C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257480Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.763{9DBE88B5-5873-61B2-9C09-010000000E02}7008004C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5873-61B2-9D09-010000000E02}4288C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002257479Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.763{9DBE88B5-5873-61B2-9D09-010000000E02}4288C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" Stop WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop Wsearch 10341000x80000000000000002257478Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.755{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002257473Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.753{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002257472Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.752{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002257471Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:26:43.752{9DBE88B5-5873-61B2-9C09-010000000E02}700C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" Stop WsearchC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002256442Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:25:24.496{9DBE88B5-C32E-61A8-0D00-000000000E02}9086108C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254593Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.998{9DBE88B5-2F14-61B2-9603-010000000E02}80647832C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254592Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.997{9DBE88B5-2F14-61B2-9603-010000000E02}80647832C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254591Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.997{9DBE88B5-2F14-61B2-9603-010000000E02}80647832C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254590Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.996{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254589Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.996{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254588Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.996{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002254587Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:23:22.996{9DBE88B5-2F14-61B2-9603-010000000E02}80646016C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002251555Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:19:23.485{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002247703Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:14.681{9DBE88B5-5584-61B2-0909-010000000E02}7336ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmpMD5=779F5AB5327FC99736B1988354F6553D,SHA256=829218A94D9D3DCC375F7D9CC3C37D5A17F8DB233048893BBB47F03C17D85240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247698Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.342{9DBE88B5-5585-61B2-2109-010000000E02}80364144C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247695Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.329{9DBE88B5-5585-61B2-2209-010000000E02}74285600C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-2109-010000000E02}8036C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247690Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.317{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-2109-010000000E02}8036C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247688Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.317{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-2109-010000000E02}8036C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247687Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.317{9DBE88B5-5585-61B2-2109-010000000E02}8036C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247684Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.300{9DBE88B5-5585-61B2-2009-010000000E02}81808104C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1F09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247678Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.288{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1F09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247677Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.288{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1F09-010000000E02}4748C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247676Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.288{9DBE88B5-5585-61B2-1F09-010000000E02}4748C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247672Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.271{9DBE88B5-5585-61B2-1E09-010000000E02}73845488C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1D09-010000000E02}6456C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247666Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.260{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1D09-010000000E02}6456C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247665Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.260{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1D09-010000000E02}6456C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247664Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.260{9DBE88B5-5585-61B2-1D09-010000000E02}6456C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247661Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.244{9DBE88B5-5585-61B2-1C09-010000000E02}78805648C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1B09-010000000E02}5152C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247655Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.232{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1B09-010000000E02}5152C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247654Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.232{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1B09-010000000E02}5152C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247653Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.231{9DBE88B5-5585-61B2-1B09-010000000E02}5152C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247650Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.216{9DBE88B5-5585-61B2-1A09-010000000E02}65805476C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1909-010000000E02}3172C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247645Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.204{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1909-010000000E02}3172C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247643Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.203{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1909-010000000E02}3172C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247642Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.204{9DBE88B5-5585-61B2-1909-010000000E02}3172C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247639Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.188{9DBE88B5-5585-61B2-1809-010000000E02}13644692C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1709-010000000E02}6364C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247633Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.176{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1709-010000000E02}6364C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247632Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.176{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1709-010000000E02}6364C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247631Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.176{9DBE88B5-5585-61B2-1709-010000000E02}6364C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247628Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.161{9DBE88B5-5585-61B2-1609-010000000E02}77723492C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1509-010000000E02}6676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247622Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.149{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1509-010000000E02}6676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247621Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.148{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1509-010000000E02}6676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247620Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.148{9DBE88B5-5585-61B2-1509-010000000E02}6676C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247616Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.132{9DBE88B5-5585-61B2-1409-010000000E02}78281108C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1309-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247610Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.119{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1309-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247609Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.119{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1309-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247608Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.119{9DBE88B5-5585-61B2-1309-010000000E02}4720C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247605Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.103{9DBE88B5-5585-61B2-1209-010000000E02}24242688C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-1109-010000000E02}2664C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247599Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.091{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-1109-010000000E02}2664C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247598Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.091{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-1109-010000000E02}2664C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247597Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.091{9DBE88B5-5585-61B2-1109-010000000E02}2664C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247594Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.075{9DBE88B5-5585-61B2-1009-010000000E02}80287400C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-0F09-010000000E02}5376C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247587Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.063{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-0F09-010000000E02}5376C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247586Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.062{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-0F09-010000000E02}5376C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.062{9DBE88B5-5585-61B2-0F09-010000000E02}5376C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247582Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.047{9DBE88B5-5585-61B2-0E09-010000000E02}67525664C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-0D09-010000000E02}4676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247576Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.035{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-0D09-010000000E02}4676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247575Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.035{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-0D09-010000000E02}4676C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247574Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.035{9DBE88B5-5585-61B2-0D09-010000000E02}4676C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247571Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.019{9DBE88B5-5585-61B2-0C09-010000000E02}76966300C:\Windows\system32\conhost.exe{9DBE88B5-5585-61B2-0B09-010000000E02}1792C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247563Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.004{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5585-61B2-0B09-010000000E02}1792C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247562Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.004{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5585-61B2-0B09-010000000E02}1792C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247561Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.004{9DBE88B5-5585-61B2-0B09-010000000E02}1792C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247559Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:13.000{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247544Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.991{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247477Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.947{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247475Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.942{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247460Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.933{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247393Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.890{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247392Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.890{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247390Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.885{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247375Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.876{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002247309Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.830{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247308Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.828{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5584-61B2-0A09-010000000E02}7960C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002247307Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.825{9DBE88B5-5584-61B2-0909-010000000E02}7336ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBCFD.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247305Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.819{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5584-61B2-0A09-010000000E02}7960C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247300Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.818{9DBE88B5-5584-61B2-0909-010000000E02}73364864C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5584-61B2-0A09-010000000E02}7960C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002247299Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.818{9DBE88B5-5584-61B2-0A09-010000000E02}7960C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" START WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002247298Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.811{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002247293Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.808{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002247292Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.808{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002247291Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:14:12.807{9DBE88B5-5584-61B2-0909-010000000E02}7336C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002247054Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:59.376{9DBE88B5-5575-61B2-EC08-010000000E02}4380ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmpMD5=4708311A8B9ACD3CFC9475922E233332,SHA256=0DC7E591BF694FB2C7DFA9D8F3C8D08FD25017EBCC0C4229D84C59C894B95564,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002247001Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:58.014{9DBE88B5-5575-61B2-0409-010000000E02}56485644C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246998Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:58.002{9DBE88B5-5575-61B2-0509-010000000E02}54686040C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-0409-010000000E02}5648C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246992Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.991{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-0409-010000000E02}5648C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246991Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.991{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-0409-010000000E02}5648C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246990Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.991{9DBE88B5-5575-61B2-0409-010000000E02}5648C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246987Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.975{9DBE88B5-5575-61B2-0309-010000000E02}71804692C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-0209-010000000E02}6148C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246981Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.964{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-0209-010000000E02}6148C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246980Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.963{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-0209-010000000E02}6148C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246979Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.964{9DBE88B5-5575-61B2-0209-010000000E02}6148C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246976Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.948{9DBE88B5-5575-61B2-0109-010000000E02}34927672C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-0009-010000000E02}7772C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246970Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.937{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-0009-010000000E02}7772C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246969Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.937{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-0009-010000000E02}7772C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246968Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.937{9DBE88B5-5575-61B2-0009-010000000E02}7772C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246965Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.921{9DBE88B5-5575-61B2-FF08-010000000E02}66081108C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-FE08-010000000E02}8156C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246959Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.910{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-FE08-010000000E02}8156C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246958Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.909{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-FE08-010000000E02}8156C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246957Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.910{9DBE88B5-5575-61B2-FE08-010000000E02}8156C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246953Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.894{9DBE88B5-5575-61B2-FD08-010000000E02}81085292C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-FC08-010000000E02}6924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246947Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.883{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-FC08-010000000E02}6924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246946Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.882{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-FC08-010000000E02}6924C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246945Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.883{9DBE88B5-5575-61B2-FC08-010000000E02}6924C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246942Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.867{9DBE88B5-5575-61B2-FB08-010000000E02}16207400C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-FA08-010000000E02}7888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246936Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.855{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-FA08-010000000E02}7888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246935Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.855{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-FA08-010000000E02}7888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246934Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.855{9DBE88B5-5575-61B2-FA08-010000000E02}7888C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246931Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.839{9DBE88B5-5575-61B2-F908-010000000E02}56644640C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F808-010000000E02}6752C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246925Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.828{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F808-010000000E02}6752C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246924Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.828{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F808-010000000E02}6752C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246923Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.828{9DBE88B5-5575-61B2-F808-010000000E02}6752C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246920Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.813{9DBE88B5-5575-61B2-F708-010000000E02}6300208C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F608-010000000E02}8140C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246914Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.801{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F608-010000000E02}8140C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246913Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.801{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F608-010000000E02}8140C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246912Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.801{9DBE88B5-5575-61B2-F608-010000000E02}8140C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246909Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.785{9DBE88B5-5575-61B2-F508-010000000E02}19644100C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F408-010000000E02}7804C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246903Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.774{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F408-010000000E02}7804C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246902Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.774{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F408-010000000E02}7804C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246901Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.774{9DBE88B5-5575-61B2-F408-010000000E02}7804C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246897Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.758{9DBE88B5-5575-61B2-F308-010000000E02}75647692C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F208-010000000E02}7356C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246891Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.747{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F208-010000000E02}7356C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246890Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.747{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F208-010000000E02}7356C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246889Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.746{9DBE88B5-5575-61B2-F208-010000000E02}7356C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246886Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.730{9DBE88B5-5575-61B2-F108-010000000E02}35247308C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-F008-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246880Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.719{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-F008-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246879Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.719{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-F008-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246878Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.719{9DBE88B5-5575-61B2-F008-010000000E02}7680C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246874Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.703{9DBE88B5-5575-61B2-EF08-010000000E02}53684508C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-EE08-010000000E02}5780C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246868Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.691{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-EE08-010000000E02}5780C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246867Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.690{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-EE08-010000000E02}5780C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246866Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.690{9DBE88B5-5575-61B2-EE08-010000000E02}5780C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246864Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.687{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246844Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.677{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246776Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.635{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246774Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.629{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246755Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.620{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246688Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.578{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246687Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.578{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246684Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.572{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246665Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.562{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002246595Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.505{9DBE88B5-C32E-61A8-0C00-000000000E02}8486480C:\Windows\system32\svchost.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246593Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.503{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-ED08-010000000E02}7320C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002246592Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.500{9DBE88B5-5575-61B2-EC08-010000000E02}4380ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac811D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002246591Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.493{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-ED08-010000000E02}7320C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.492{9DBE88B5-5575-61B2-EC08-010000000E02}43806160C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5575-61B2-ED08-010000000E02}7320C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002246584Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.493{9DBE88B5-5575-61B2-ED08-010000000E02}7320C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" STOP WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002246583Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.483{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002246578Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.480{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002246577Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.480{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002246576Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:57.480{9DBE88B5-5575-61B2-EC08-010000000E02}4380C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002245616Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:08.884{9DBE88B5-5543-61B2-C308-010000000E02}5464ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmpMD5=779F5AB5327FC99736B1988354F6553D,SHA256=829218A94D9D3DCC375F7D9CC3C37D5A17F8DB233048893BBB47F03C17D85240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245611Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.542{9DBE88B5-5543-61B2-DB08-010000000E02}2086264C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245608Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.530{9DBE88B5-5543-61B2-DC08-010000000E02}76487608C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-DB08-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245602Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.519{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-DB08-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245601Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.518{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-DB08-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245600Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.519{9DBE88B5-5543-61B2-DB08-010000000E02}208C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245597Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.503{9DBE88B5-5543-61B2-DA08-010000000E02}73727960C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D908-010000000E02}6276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245590Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.492{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D908-010000000E02}6276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245589Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.492{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D908-010000000E02}6276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245588Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.492{9DBE88B5-5543-61B2-D908-010000000E02}6276C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.476{9DBE88B5-5543-61B2-D808-010000000E02}66247564C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D708-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245579Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.465{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D708-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245578Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.464{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D708-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245577Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.465{9DBE88B5-5543-61B2-D708-010000000E02}7840C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245573Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.447{9DBE88B5-5543-61B2-D608-010000000E02}4900948C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D508-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245567Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.434{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D508-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245566Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.434{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D508-010000000E02}7680C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245565Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.434{9DBE88B5-5543-61B2-D508-010000000E02}7680C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245562Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.419{9DBE88B5-5543-61B2-D408-010000000E02}75963524C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D308-010000000E02}3808C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245556Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.407{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D308-010000000E02}3808C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245555Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.407{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D308-010000000E02}3808C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245554Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.407{9DBE88B5-5543-61B2-D308-010000000E02}3808C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245550Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.390{9DBE88B5-5543-61B2-D208-010000000E02}65566376C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-D108-010000000E02}8128C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245544Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.377{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-D108-010000000E02}8128C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245543Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.377{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-D108-010000000E02}8128C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245542Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.377{9DBE88B5-5543-61B2-D108-010000000E02}8128C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245539Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.358{9DBE88B5-5543-61B2-D008-010000000E02}47765616C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-CF08-010000000E02}2800C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245533Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.345{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-CF08-010000000E02}2800C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245532Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.345{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-CF08-010000000E02}2800C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245531Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.345{9DBE88B5-5543-61B2-CF08-010000000E02}2800C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245528Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.329{9DBE88B5-5543-61B2-CE08-010000000E02}55805680C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-CD08-010000000E02}7796C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245522Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.317{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-CD08-010000000E02}7796C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245521Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.317{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-CD08-010000000E02}7796C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245520Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.317{9DBE88B5-5543-61B2-CD08-010000000E02}7796C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245516Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.301{9DBE88B5-5543-61B2-CC08-010000000E02}20405436C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-CB08-010000000E02}7276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245510Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.290{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-CB08-010000000E02}7276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245509Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.290{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-CB08-010000000E02}7276C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245508Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.291{9DBE88B5-5543-61B2-CB08-010000000E02}7276C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245505Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.276{9DBE88B5-5543-61B2-CA08-010000000E02}66128016C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-C908-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245499Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.265{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-C908-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245498Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.265{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C908-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245497Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.265{9DBE88B5-5543-61B2-C908-010000000E02}5756C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245494Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.250{9DBE88B5-5543-61B2-C808-010000000E02}64604764C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-C708-010000000E02}6180C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245488Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.239{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-C708-010000000E02}6180C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245487Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.239{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C708-010000000E02}6180C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245486Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.239{9DBE88B5-5543-61B2-C708-010000000E02}6180C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245483Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.224{9DBE88B5-5543-61B2-C608-010000000E02}77201112C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-C508-010000000E02}6204C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245477Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.213{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-C508-010000000E02}6204C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245476Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.213{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C508-010000000E02}6204C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245475Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.213{9DBE88B5-5543-61B2-C508-010000000E02}6204C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' START WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245473Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.209{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245458Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.202{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245392Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.162{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245390Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.156{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245375Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.149{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245309Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.110{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245308Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.109{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245306Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.104{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245291Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.097{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002245225Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.054{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245224Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.052{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C408-010000000E02}1172C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002245223Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.050{9DBE88B5-5543-61B2-C308-010000000E02}5464ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\RacBC08.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002245222Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.043{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C408-010000000E02}1172C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245216Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.042{9DBE88B5-5543-61B2-C308-010000000E02}54645672C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5543-61B2-C408-010000000E02}1172C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002245215Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.042{9DBE88B5-5543-61B2-C408-010000000E02}1172C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" START WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCH 10341000x80000000000000002245214Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.034{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002245209Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.032{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002245208Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.032{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002245207Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:13:07.028{9DBE88B5-5543-61B2-C308-010000000E02}5464C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" START WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000002245000Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:52.340{9DBE88B5-5532-61B2-A608-010000000E02}7540ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmpMD5=4708311A8B9ACD3CFC9475922E233332,SHA256=0DC7E591BF694FB2C7DFA9D8F3C8D08FD25017EBCC0C4229D84C59C894B95564,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244992Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.936{9DBE88B5-5532-61B2-BF08-010000000E02}26884576C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244989Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.923{9DBE88B5-5532-61B2-C008-010000000E02}24245292C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-BF08-010000000E02}2688C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244983Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.912{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-BF08-010000000E02}2688C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244982Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.912{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-BF08-010000000E02}2688C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244981Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.912{9DBE88B5-5532-61B2-BF08-010000000E02}2688C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244978Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.896{9DBE88B5-5532-61B2-BE08-010000000E02}6726768C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-BD08-010000000E02}8004C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244972Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.885{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-BD08-010000000E02}8004C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244971Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.884{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-BD08-010000000E02}8004C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244970Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.884{9DBE88B5-5532-61B2-BD08-010000000E02}8004C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244967Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.869{9DBE88B5-5532-61B2-BC08-010000000E02}60763468C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-BB08-010000000E02}2604C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244960Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.856{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-BB08-010000000E02}2604C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244959Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.856{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-BB08-010000000E02}2604C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244958Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.857{9DBE88B5-5532-61B2-BB08-010000000E02}2604C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244955Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.841{9DBE88B5-5532-61B2-BA08-010000000E02}81607820C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B908-010000000E02}6108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244949Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.830{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B908-010000000E02}6108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244948Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.830{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B908-010000000E02}6108C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244947Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.830{9DBE88B5-5532-61B2-B908-010000000E02}6108C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244944Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.814{9DBE88B5-5532-61B2-B808-010000000E02}17924676C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B708-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244938Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.802{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B708-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244937Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.802{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B708-010000000E02}208C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244936Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.802{9DBE88B5-5532-61B2-B708-010000000E02}208C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244933Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.786{9DBE88B5-5532-61B2-B608-010000000E02}19647336C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B508-010000000E02}4348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244927Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.775{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B508-010000000E02}4348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244926Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.774{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B508-010000000E02}4348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244925Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.775{9DBE88B5-5532-61B2-B508-010000000E02}4348C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244922Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.759{9DBE88B5-5532-61B2-B408-010000000E02}73561132C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B308-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244916Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.748{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B308-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244915Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.747{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B308-010000000E02}7840C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244914Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.748{9DBE88B5-5532-61B2-B308-010000000E02}7840C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244911Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.732{9DBE88B5-5532-61B2-B208-010000000E02}77605636C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-B108-010000000E02}348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244904Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.719{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-B108-010000000E02}348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244903Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.719{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-B108-010000000E02}348C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244902Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.719{9DBE88B5-5532-61B2-B108-010000000E02}348C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244898Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.701{9DBE88B5-5532-61B2-B008-010000000E02}61727952C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-AF08-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244892Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.688{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-AF08-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244891Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.688{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-AF08-010000000E02}6060C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244890Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.688{9DBE88B5-5532-61B2-AF08-010000000E02}6060C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244887Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.672{9DBE88B5-5532-61B2-AE08-010000000E02}73162860C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-AD08-010000000E02}7916C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244881Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.661{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-AD08-010000000E02}7916C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244880Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.660{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-AD08-010000000E02}7916C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244879Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.661{9DBE88B5-5532-61B2-AD08-010000000E02}7916C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244876Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.645{9DBE88B5-5532-61B2-AC08-010000000E02}61606692C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-AB08-010000000E02}4776C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244870Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.633{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-AB08-010000000E02}4776C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244869Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.632{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-AB08-010000000E02}4776C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244868Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.632{9DBE88B5-5532-61B2-AB08-010000000E02}4776C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244865Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.597{9DBE88B5-5532-61B2-AA08-010000000E02}46005984C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-A908-010000000E02}7332C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244859Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.569{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-A908-010000000E02}7332C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244858Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.569{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-A908-010000000E02}7332C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244857Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.552{9DBE88B5-5532-61B2-A908-010000000E02}7332C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmp -d Name="net.exe" -d ExecutablePath="C:\Windows\System32\net.exe" -d CommandLine="'C:\Windows\system32\net.exe' STOP WSEARCH" -d TimeSinceExeCreation=1220 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244854Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.548{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244839Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.541{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244773Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.500{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244771Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.494{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244756Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.487{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244690Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.447{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244689Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.446{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244687Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.441{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244672Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.433{9DBE88B5-5532-61B2-A808-010000000E02}9044928C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002244596Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.286{9DBE88B5-C32E-61A8-0C00-000000000E02}8482116C:\Windows\system32\svchost.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244595Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.285{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-A708-010000000E02}7160C:\Windows\system32\net.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002244594Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.282{9DBE88B5-5532-61B2-A608-010000000E02}7540ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac7A8A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002244593Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.275{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-A708-010000000E02}7160C:\Windows\system32\net.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244587Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.274{9DBE88B5-5532-61B2-A608-010000000E02}75407028C:\Program Files\Raccine\Raccine.exe{9DBE88B5-5532-61B2-A708-010000000E02}7160C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002244586Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.273{9DBE88B5-5532-61B2-A708-010000000E02}7160C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exe"C:\Windows\system32\net.exe" STOP WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCH 10341000x80000000000000002244585Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.232{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002244580Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.229{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002244579Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.229{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca360024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c9803a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97d665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e3710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97c78d5(wow64) 154100x80000000000000002244578Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 19:12:50.229{9DBE88B5-5532-61B2-A608-010000000E02}7540C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\system32\net.exe" STOP WSEARCHC:\Users\Administrator\Downloads\PSBits-master\PSBits-master\IFilter\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002165805Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.094{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165790Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.086{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165724Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.044{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165722Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.038{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165707Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:17.030{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165641Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.990{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165640Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.989{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+1e7b|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165638Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.984{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165623Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.976{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165557Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.930{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165556Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.930{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+1d80|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002165555Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:16.925{9DBE88B5-3BBF-61B2-8305-010000000E02}7852ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmpMD5=8D83BF4690F88A5E77EB9980E5517DB4,SHA256=997F52D18A246E33B586CD032E13DC4AB052DF902992218298827942FAAE786E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002165548Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.575{9DBE88B5-3BBF-61B2-9B05-010000000E02}38127324C:\Program Files\Raccine\yara64.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\yara64.exe+8503f|C:\Program Files\Raccine\yara64.exe+7ce90|C:\Program Files\Raccine\yara64.exe+73b07|C:\Program Files\Raccine\yara64.exe+7303c|C:\Program Files\Raccine\yara64.exe+17c129|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165545Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.562{9DBE88B5-3BBF-61B2-9C05-010000000E02}5664136C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9B05-010000000E02}3812C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165539Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.550{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9B05-010000000E02}3812C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165538Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.549{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9B05-010000000E02}3812C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+116f5|C:\Program Files\Raccine\Raccine.exe+6156|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165537Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.549{9DBE88B5-3BBF-61B2-9B05-010000000E02}3812C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\in-memory\gen_loaders.yar" 6776 -d MemoryScan=1 -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165534Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.533{9DBE88B5-3BBF-61B2-9A05-010000000E02}81246204C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9905-010000000E02}4252C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165528Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.520{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9905-010000000E02}4252C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165527Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.520{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9905-010000000E02}4252C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165526Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.520{9DBE88B5-3BBF-61B2-9905-010000000E02}4252C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ryuk-commandlines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165523Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.503{9DBE88B5-3BBF-61B2-9805-010000000E02}31526444C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9705-010000000E02}7480C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165517Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.491{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9705-010000000E02}7480C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165516Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.491{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9705-010000000E02}7480C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165515Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.491{9DBE88B5-3BBF-61B2-9705-010000000E02}7480C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\powershell_loaders.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165512Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.475{9DBE88B5-3BBF-61B2-9605-010000000E02}53645024C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9505-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165506Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.463{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9505-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165505Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.461{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9505-010000000E02}5756C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165504Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.462{9DBE88B5-3BBF-61B2-9505-010000000E02}5756C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\other_0xa9five_poc.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165501Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.445{9DBE88B5-3BBF-61B2-9405-010000000E02}53965380C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9305-010000000E02}5464C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165494Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.431{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9305-010000000E02}5464C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165493Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.431{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9305-010000000E02}5464C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165492Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.431{9DBE88B5-3BBF-61B2-9305-010000000E02}5464C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_revil.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165489Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.415{9DBE88B5-3BBF-61B2-9205-010000000E02}20607492C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-9105-010000000E02}2712C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165483Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.403{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-9105-010000000E02}2712C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165482Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.403{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-9105-010000000E02}2712C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165481Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.403{9DBE88B5-3BBF-61B2-9105-010000000E02}2712C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_exchange_cryptominer.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165478Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.386{9DBE88B5-3BBF-61B2-9005-010000000E02}81886320C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8F05-010000000E02}6768C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165472Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.372{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8F05-010000000E02}6768C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165471Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.371{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8F05-010000000E02}6768C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165470Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.372{9DBE88B5-3BBF-61B2-8F05-010000000E02}6768C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_emotet.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165467Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.355{9DBE88B5-3BBF-61B2-8E05-010000000E02}17885704C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8D05-010000000E02}1544C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165461Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.342{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8D05-010000000E02}1544C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165460Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.342{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8D05-010000000E02}1544C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165459Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.342{9DBE88B5-3BBF-61B2-8D05-010000000E02}1544C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\mal_darkside.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165456Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.324{9DBE88B5-3BBF-61B2-8C05-010000000E02}44881372C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8B05-010000000E02}4888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165450Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.311{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8B05-010000000E02}4888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165449Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.311{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8B05-010000000E02}4888C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165448Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.311{9DBE88B5-3BBF-61B2-8B05-010000000E02}4888C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165443Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.293{9DBE88B5-3BBF-61B2-8A05-010000000E02}61927328C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8905-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165437Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.281{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8905-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165436Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.280{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8905-010000000E02}4720C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165435Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.281{9DBE88B5-3BBF-61B2-8905-010000000E02}4720C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_raccine_kills.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165432Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.264{9DBE88B5-3BBF-61B2-8805-010000000E02}42926112C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8705-010000000E02}6460C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165426Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.252{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44924832C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8705-010000000E02}6460C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165425Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.252{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8705-010000000E02}6460C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165424Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.252{9DBE88B5-3BBF-61B2-8705-010000000E02}6460C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\gen_powershell_invocation.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165421Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.235{9DBE88B5-3BBF-61B2-8605-010000000E02}67085456C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8505-010000000E02}6928C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165415Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.218{9DBE88B5-3A8E-61AE-DBA7-000000000E02}44926092C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8505-010000000E02}6928C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165414Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.217{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8505-010000000E02}6928C:\Program Files\Raccine\yara64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+127ef|C:\Program Files\Raccine\Raccine.exe+5e97|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165413Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.217{9DBE88B5-3BBF-61B2-8505-010000000E02}6928C:\Program Files\Raccine\yara64.exe-----"C:\Program Files\Raccine\yara64.exe" "C:\Program Files\Raccine\yara\ext-vars-test.yar" C:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmp -d Name="powershell.exe" -d ExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d CommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' & {write-host \''\''$shadowlist = get-wmiobject win32_shadowcopy$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]$shadowpath = \''\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\'' + $maxvolume + \''\Windows\System32\config\SAM\''$mydump = $ENV:temp + '\' + 'myhive'[System.IO.File]::Copy($shadowpath , $mydump)} mp)} " -d TimeSinceExeCreation=1878 -d ParentName="powershell.exe" -d ParentExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -d ParentCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' " -d ParentTimeSinceExeCreation=1878 -d GrandParentName="(unavailable)" -d GrandParentExecutablePath="" -d GrandParentCommandLine="" -d GrandParentTimeSinceExeCreation=0C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=21F3213DA30E04E7EAE6AB37873D96ED,SHA256=63E9D2FEBB3705D5C9BC7489BCEC2B957AAEF8A5D13D0EBAEDC65965D65947E6,IMPHASH=C66AE7C04AD509B05651E45E6E91359E{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165411Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.214{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165396Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.206{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165330Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.164{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165328Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.159{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165313Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.151{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165247Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.109{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165246Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.109{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+5894|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165244Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.104{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165229Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.096{9DBE88B5-3BA0-61B2-4205-010000000E02}39207816C:\Windows\system32\wbem\wmiprvse.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d8b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c2c9|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49cee|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000002165163Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.053{9DBE88B5-C32E-61A8-0C00-000000000E02}8485240C:\Windows\system32\svchost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165162Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.051{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Raccine\Raccine.exe+c914|C:\Program Files\Raccine\Raccine.exe+57ef|C:\Program Files\Raccine\Raccine.exe+18dc|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000002165161Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.048{9DBE88B5-3BBF-61B2-8305-010000000E02}7852ATTACKRANGE\AdministratorC:\Program Files\Raccine\Raccine.exeC:\Users\ADMINI~1\AppData\Local\Temp\RaccineUserContext\Rac10A6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002165160Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.042{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1c3aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+c6f00|C:\Windows\System32\KERNELBASE.dll+c6e21|C:\Program Files\Raccine\Raccine.exe+1876|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165154Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.041{9DBE88B5-3BBF-61B2-8305-010000000E02}78525916C:\Program Files\Raccine\Raccine.exe{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Raccine\Raccine.exe+1848|C:\Program Files\Raccine\Raccine.exe+16914|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000002165153Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.041{9DBE88B5-3BBF-61B2-8405-010000000E02}7620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} 10341000x80000000000000002165152Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.032{9DBE88B5-3AAE-61AE-0EA8-000000000E02}68046848C:\Windows\system32\conhost.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165151Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.030{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c01f5|UNKNOWN(00007FF9867AB323) 10341000x80000000000000002165146Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.027{9DBE88B5-3A8E-61AE-DBA7-000000000E02}4492968C:\Windows\system32\csrss.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000002165145Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.027{9DBE88B5-3AAE-61AE-0DA8-000000000E02}67766968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\207926782604047fb43c0980a31be783\Microsoft.PowerShell.Commands.Management.ni.dll+8657f278(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e2995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97e27fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c986b92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97daa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+ca2ab304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ede86fb324c014012c4c689e792a89f4\System.Management.Automation.ni.dll+c97a002a(wow64)|UNKNOWN(00007FF9867DC5C8) 154100x80000000000000002165144Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:15.027{9DBE88B5-3BBF-61B2-8305-010000000E02}7852C:\Program Files\Raccine\Raccine.exe1.4.2.0 BETAA Simple Ransomware Vaccine - see https://github.com/Neo23x0/RaccineRaccineRaccineRaccine.exe"C:\Program Files\Raccine\Raccine.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {write-host \""\"" $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] $shadowpath = \""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy\"" + $maxvolume + \""\Windows\System32\config\SAM\"" $mydump = $ENV:temp + '\' + 'myhive' [System.IO.File]::Copy($shadowpath , $mydump)} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9DBE88B5-3A8F-61AE-5CC3-9B0500000000}0x59bc35c2HighMD5=287F6CFBFFD83B75A0F8F749B0F636F3,SHA256=E5364CE4BD1814E003215BFF10DD2F191C33199260DFD2688D4F6CCE4A7C75B8,IMPHASH=B9673CBFF2550CFBFA1668EF53412C24{9DBE88B5-3AAE-61AE-0DA8-000000000E02}6776C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x80000000000000002165111Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.518{9DBE88B5-3A90-61AE-E7A7-000000000E02}48444132C:\Windows\system32\taskhostw.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165110Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.516{9DBE88B5-3A90-61AE-E7A7-000000000E02}48444132C:\Windows\system32\taskhostw.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165109Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.515{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165108Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.515{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165107Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-2021-12-09 17:24:14.515{9DBE88B5-2F14-61B2-9603-010000000E02}80647708C:\Windows\explorer.exe{9DBE88B5-1135-61B1-7FFF-000000000E02}3164C:\Program Files\Raccine\RaccineSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000002165106Microsoft-Windows-Sysmon/Operationalwin-dc-137.attackrange.local-202