154100x8000000000000000502882Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-04-24 09:54:30.650{d7bc9b2f-0a56-680a-9a01-000000004103}2788C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic path win32_ntlogevent WHERE Logfile='Application'C:\Users\Administrator\ATTACKRANGE\Administrator{d7bc9b2f-08e3-680a-7659-100000000000}0x1059762HighMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{d7bc9b2f-08f7-680a-5d01-000000004103}7812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 154100x8000000000000000502881Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-04-24 09:54:27.934{d7bc9b2f-0a53-680a-9901-000000004103}7036C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic path win32_ntlogevent WHERE Logfile = 'Application'C:\Users\Administrator\ATTACKRANGE\Administrator{d7bc9b2f-08e3-680a-7659-100000000000}0x1059762HighMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{d7bc9b2f-08f7-680a-5d01-000000004103}7812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 154100x8000000000000000502878Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-04-24 09:54:18.420{d7bc9b2f-0a4a-680a-9601-000000004103}5464C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic ntevent where (LogFile='System' and EventCode=6005) list briefC:\Users\Administrator\ATTACKRANGE\Administrator{d7bc9b2f-08e3-680a-7659-100000000000}0x1059762HighMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{d7bc9b2f-08f7-680a-5d01-000000004103}7812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 154100x8000000000000000502871Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-04-24 09:53:36.180{d7bc9b2f-0a20-680a-9101-000000004103}4976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17763.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -c "Get-WinEvent -LogName Security -MaxEvents 5"C:\Users\Administrator\ATTACKRANGE\Administrator{d7bc9b2f-08e3-680a-7659-100000000000}0x1059762HighMD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{d7bc9b2f-0968-680a-7b01-000000004103}8096C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x8000000000000000502862Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-04-24 09:51:53.160{d7bc9b2f-09b9-680a-8901-000000004103}7312C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic path win32_ntlogevent WHERE Logfile = 'Application' AND (EventCode = 11728 OR Eventcode = 11724 OR Eventcode = 11707) AND TimeGeneratedC:\Users\Administrator\ATTACKRANGE\Administrator{d7bc9b2f-08e3-680a-7659-100000000000}0x1059762HighMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{d7bc9b2f-08f7-680a-5d01-000000004103}7812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 154100x8000000000000000502858Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-04-24 09:51:40.000{d7bc9b2f-09ac-680a-8501-000000004103}5508C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic ntevent where (LogFile='System' and EventCode=6005) list briefC:\Users\Administrator\ATTACKRANGE\Administrator{d7bc9b2f-08e3-680a-7659-100000000000}0x1059762HighMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{d7bc9b2f-08f7-680a-5d01-000000004103}7812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 154100x8000000000000000502849Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-04-24 09:50:40.228{d7bc9b2f-0970-680a-7d01-000000004103}6960C:\Windows\System32\wevtutil.exe10.0.17763.6766 (WinBuild.160101.0800)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil qe System /c:5 /f:textC:\Users\Administrator\ATTACKRANGE\Administrator{d7bc9b2f-08e3-680a-7659-100000000000}0x1059762HighMD5=7258D839BCAB6A2F475CD6E2D1B0827B,SHA256=6D279EFC425170CBE9F77EFE279A3B4F75B37B5F25BDD62F0137BA5A64C74228,IMPHASH=51690F053BEBA4C2A474FF0EB395C5FB{d7bc9b2f-08f7-680a-5d01-000000004103}7812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 154100x8000000000000000502811Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-04-24 09:48:44.922{d7bc9b2f-08fc-680a-6601-000000004103}5092C:\Users\Administrator\Downloads\psloglist64.exe2.82local and remote event log viewerSysinternals PsLogListSysinternals - www.sysinternals.compsloglist.exeC:\Users\Administrator\Downloads\psloglist64.exe -hC:\Users\Administrator\ATTACKRANGE\Administrator{d7bc9b2f-08e3-680a-7659-100000000000}0x1059762HighMD5=14B2F5291036BE454AE2FC762FF6EAAA,SHA256=5E55B4CAF47A248A10ABD009617684E969DBE5C448D087EE8178262AAAB68636,IMPHASH=E66ACCE85B8F413B2D80E902CFBA5219{d7bc9b2f-08f7-680a-5d01-000000004103}7812C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 154100x8000000000000000502712Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-04-24 09:46:37.412{d7bc9b2f-087d-680a-1b01-000000004103}4800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17763.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "Get-WinEvent -FilterHashtable @( @{ LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'; Id=12; Level=4 }, @{ LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'; Id=1001; Level=2 } ) | Sort-Object TimeCreated -Descending" "| Select-Object" "Id, Level, ProviderName, TimeCreated, Properties" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{d7bc9b2f-071d-680a-e703-000000000000}0x3e70SystemMD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{d7bc9b2f-0875-680a-1401-000000004103}4920C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM