154100x800000000000000026671852Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:12:06.447{D271FDA4-15A6-6332-E200-000000007502}6700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c cscript.exeC:\Users\Administrator\Documents\ATTACKRANGE\Administrator{D271FDA4-14DB-6332-7FFB-0A0000000000}0xafb7f2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D271FDA4-14F2-6332-AD00-000000007502}4836C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 154100x800000000000000026671748Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:12:04.872{D271FDA4-15A4-6332-DF00-000000007502}6596C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c cscript.exeC:\Users\Administrator\Documents\ATTACKRANGE\Administrator{D271FDA4-14DB-6332-7FFB-0A0000000000}0xafb7f2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D271FDA4-14F2-6332-AD00-000000007502}4836C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 154100x800000000000000026671046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:11:42.178{D271FDA4-158E-6332-D900-000000007502}5640C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c cscript.exeC:\Users\Administrator\Documents\ATTACKRANGE\Administrator{D271FDA4-14DB-6332-7FFB-0A0000000000}0xafb7f2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D271FDA4-14F2-6332-AD00-000000007502}4836C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 154100x800000000000000026585985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:07:20.455{D271FDA4-1488-6332-FAEF-020000007402}6412C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c cscript.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D271FDA4-0FB2-6332-52EF-020000007402}5960C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 154100x800000000000000026582798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:06:26.813{D271FDA4-1452-6332-F0EF-020000007402}5536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c cscript.exe c:\atomicredteam\atomics\T1082\src\griffon_recon.vbsC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D271FDA4-0FB2-6332-52EF-020000007402}5960C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 154100x800000000000000026578832Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:05:00.168{D271FDA4-13FC-6332-E6EF-020000007402}6800C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd.exe /c cscript.exe c:\atomicredteam\atomics\T1082\src\griffon_recon.vbsC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D271FDA4-0FB2-6332-52EF-020000007402}5960C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 10341000x800000000000000026574636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:03:07.695{D271FDA4-0FB2-6332-52EF-020000007402}59607060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{D271FDA4-1382-6332-D6EF-020000007402}6800C:\Windows\SYSTEM32\cscript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+139203|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1391a2|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+76292|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+75a4f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+8a6be|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1fa55c|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+12b6|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1612|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026574482Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:03:06.668{D271FDA4-0FB2-6332-52EF-020000007402}59607060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{D271FDA4-1382-6332-D6EF-020000007402}6800C:\Windows\SYSTEM32\cscript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+139203|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1391a2|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+76292|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+75a4f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+8a6be|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1fa55c|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+12b6|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1612|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026573958Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:03:03.462{D271FDA4-0FB2-6332-52EF-020000007402}59607060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{D271FDA4-1382-6332-D6EF-020000007402}6800C:\Windows\SYSTEM32\cscript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+139203|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1391a2|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+76292|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+75a4f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+8a6be|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1fa55c|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+12b6|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1612|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026573359Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:02:58.975{D271FDA4-0FB2-6332-52EF-020000007402}59607060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{D271FDA4-1382-6332-D6EF-020000007402}6800C:\Windows\SYSTEM32\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d9437|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d848f|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d8ef8|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d192e|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d24c7|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+101086|UNKNOWN(000002676C566D52) 154100x800000000000000026573358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:02:58.975{D271FDA4-1382-6332-D6EF-020000007402}6800C:\Windows\System32\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.execscript.exe c:\atomicredteam\atomics\T1082\src\griffon_recon.vbsC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=E1DD134E19E058147D1A35477289C18E,SHA256=2C0C92B939CB47A64ED6942E63F759974B0CC8A30EB401984F172EA3CC0730DC{D271FDA4-0FB2-6332-52EF-020000007402}5960C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 10341000x800000000000000026567015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:01:08.079{D271FDA4-0FB2-6332-52EF-020000007402}59607060C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{D271FDA4-1314-6332-C4EF-020000007402}8384C:\Windows\SYSTEM32\cscript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d9437|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d848f|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d8ef8|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d192e|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d24c7|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+101086|UNKNOWN(000002676C566D52) 154100x800000000000000026567014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-26 21:01:08.075{D271FDA4-1314-6332-C4EF-020000007402}8384C:\Windows\System32\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.execscript.exe c:\atomicredteam\atomics\T1082\src\griffon_recon.vbsC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=E1DD134E19E058147D1A35477289C18E,SHA256=2C0C92B939CB47A64ED6942E63F759974B0CC8A30EB401984F172EA3CC0730DC{D271FDA4-0FB2-6332-52EF-020000007402}5960C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"