354300x80000000000000001046256Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.local-2023-06-01 14:03:56.816{95766689-a549-6478-9861-1c1800000000}10080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACK_RANGE\VICTIMtcptruefalse192.168.1.10-61459-false74.208.236.171-443https 154100x80000000000000001046252Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.local-2023-06-01 14:03:53.217{95766689-a549-6478-9861-1c1800000000}10080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.19041.546 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exeC:\Users\VICTIM\AppData\Roaming\com.adobe.dunamis\ATTACK_RANGE\VICTIM{95766689-d58b-6474-c31b-0e0000000000}0xe1bc31MediumMD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7{95766689-a53c-6478-1a18-1c1800000000}12512C:\Windows\System32\cscript.exe"C:\Windows\System32\cscript.exe" "PROOFO~1.JS" 154100x80000000000000001046251Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.local-2023-06-01 14:03:40.164{95766689-a53c-6478-1a18-1c1800000000}12512C:\Windows\System32\cscript.exe5.812.10240.16384Microsoft ® Console Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationcscript.exe"C:\Windows\System32\cscript.exe" "PROOFO~1.JS"C:\Users\VICTIM\AppData\Roaming\com.adobe.dunamis\ATTACK_RANGE\VICTIM{95766689-d58b-6474-c31b-0e0000000000}0xe1bc31MediumMD5=24590BF74BBBBFD7D7AC070F4E3C44FD,SHA256=AE37FD1B642E797B36B9FFCEC8A6E986732D011681061800C6B74426C28A9D03,IMPHASH=2B44D2206B9865383429E9C1524F1CAC{95766689-a52e-6478-d9cc-1b1800000000}21364C:\Windows\System32\wscript.exe"C:\WINDOWS\system32\wscript.EXE" PROOFO~1.JS 154100x80000000000000001046248Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.local-2023-06-01 14:03:26.644{95766689-a52e-6478-d9cc-1b1800000000}21364C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\WINDOWS\system32\wscript.EXE" PROOFO~1.JSC:\Users\victim\AppData\Roaming\com.adobe.dunamis\ATTACK_RANGE\VICTIM{95766689-d58b-6474-c31b-0e0000000000}0xe1bc31MediumMD5=A47CBE969EA935BDD3AB568BB126BC80,SHA256=34008E2057DF8842DF210246995385A0441DC1E081D60AD15BD481E062E7F100,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C{95766689-d57c-6474-71ed-020000000000}2032C:\Windows\System32\svchost.exeC:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule 11241100x80000000000000001046247Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.localT10532023-06-01 14:03:26.619{95766689-d57c-6474-71ed-020000000000}2032C:\WINDOWS\system32\svchost.exeC:\Windows\System32\Tasks\Exterior Restoration2023-06-01 14:03:26.619 13241300x80000000000000001046246Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.localSuspicious PathSetValue2023-06-01 14:03:04.157{95766689-a4de-6478-7c57-171800000000}20424C:\Windows\System32\wscript.exeHKU\S-1-5-21-1001\SOFTWARE\Microsoft\Phone\victim\6IPEqMPPAIK1On58l3sIQ+fYS33IDMH1g1Hbb1M9EOxyndrHNuR7Z3NahPKTKtIlQzto5fMJ0liuE53ap94FvjMWTqJZJ90NtKSYBFCmyddKoqjkKeCvooPdffYNYRUDkq757rcrPOxHhswjyk3NaHvdXWic+sSHhfN8O5d9g/nXV5hjirObfNA/sxEoqN2szas/XwMbdSBEikByC98Im8ydm6KqJcKLYuzZtxSFKaBakd6bqvKuqJyDfxizDft4Bz12ONdVY5E3jtn2VEV60iw95X3gA7SbmECHXKl1ydYIU+mtrhg2IDb2kMrYZFHiZ0ZorwFidPzYKyBPeUZ1ebshOChON/utxJbbLxswQH/79dDkNED0LNTCsYIxminDCu6s7vsgS5JZne3AnoZVpt3jizrfPaRRIPdaywurIUo4Fq41wW3jOGZ9gfqGNAL+bHyHTNxQ2VYOL3VGfmpsDzbtIXT5RHkvCWcUlmPUxngcPtmFWMD9HWcPajf8albz1S3isSOtHOij8ha7WYfPUmvTuEWbMfWO0mF8+jC3AWrGwBesu5iCOsXog5L9NhLhDhJ5vCpw3ctVKcVYHAYO9B+QuXBTWZs3+sq4nEv1FcObfBdvINN9Dv6LEwMYpuDELHZcO/JQh3cEAcyMS8HrWLqOtMZ6PNVYVAettyu1M4LtFHzXVJECeGHNJmDj2Xck8iQUzK+Sge7NVUibIs9bredQ7oQRiVMJKW06HeJ7jTur7bN070r3Y2g1zl8gI30D/fYAdqbR7QDd5Cl+RL+92Ft76UwH8F/N01DPrUAA2g7xenVYNckzmNY12fufJx4E/h9HJpJXGr6KZQkPtx/9NMFfFq1eIT/qjDhw23iLHqcEwTEv4AxSShL2WLA5UUiyD7avzO1f9xl3+/1cE0qWJM5yEmWTYSVRuzXfJfzMujmWWrzSDNgWDrXdupfCa9Nbb3WQA+hrShBJj9+bH9YsHA4N7fX4gUb+ncyiwX9XoMMz/fq8bZxcY23FWAX8F/7M+KzOAyvXz4sMQW/FnXcmuiBO+Et8WIIUU/z52Z3RPoAfk4OBNv0mJYzBllUDnSMhbM7Zf62XsWmlx3lrX2Ae4JwCT4xEzkc4iUmM7nOh4jPuhU8e0db67sWyx/lDsArtldkzf2908Ox7r635xKHHT7kuaREQOs+6NEIdKgLtElov5nD7pKIy4ptDL5eYozIuM+INUBXUZ0do84meooH+Wm72C/oVBf7KiJVKgL2ZgNN/U7dme0ACwAv2cMutqXVfqQ74p5TYBx3oi/HFMsdCb7pPpzEEOVH6+O9vzmxEbA2xufaWHRtjuoE1iZMKM8sDBd1D6zPMu1l8hV4K6+59qEZwxl0NlmfitLq1tCqg7S6gp7H+ffzr2mlSznPSq2oH6COKr3KW6ay0VU/Et57YZk71ScS1Sf+cy6Dr/Hog9Iu/w6PHttg8xMfbdoRdEIMfDGq74i1iBzaR+Shjp4AlihT0Hg4Z8AS45kkAV6sStONbhvh5iXe7kj8Zc4dBDfiE6qnydXDdWkxBbRlBmnAF7U0A5nPUcdqZ8CrKDdCYBEcNIR7WQkMIRAp0bF/kwFa4f8IdYM4hjVnmn6T6IbX65ZryR7goh3y/Anm6c5HqC8Bky0oJvMu0mxohn3vAnSBZ1B/DpAuK7K2GmL1I+DbDrV/Oc+A7WuD7atZPwN6LOu2PSb0qOugXDX+j9Qq9LK9RTnvZdr1aDldjdqviYW2v6OHqEcWgC1gbMmhslVyvQ1rGaC9IddEM3 13241300x80000000000000001046245Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.localSuspicious PathSetValue2023-06-01 14:03:03.832{95766689-a4de-6478-7c57-171800000000}20424C:\Windows\System32\wscript.exeHKU\S-1-5-21-1001\SOFTWARE\Microsoft\Phone\victim\5mQp8/VYxqtpE+Dpkfo6eRYa9xHrBOdG1v9lSjcxCtxF8n8xvMIVXtIdg35ehvvX6ZGLuIk4poAOvWBbtH2rrDXCf2VGIKp1/pXM/4KAfv8nHTUD6OBtNKNpUepuHYPbB+P5S9mWcGUV9Kojbc3wrUTXVRZ71s7HaNiSf5s4UaKIkWU9tR58SGwf3mgtu1ikkUb2RB9zqaWNdWr7StY7JtD2w28a8dTa0B37iJfgtT/3RXZxvHaqmqvJPi2V33klrLbms+u+0cD/oLQTZCKxHB3oo1rLUjK+JoKuG9Ey9h5md1tnW6q3pr6Q+v9naFzipOtby7ycpemknu42+mXjvVnVxbk2tSaQ8mFg+8V22mXHZbuh7MK5Dmo8UM7rcFVYY1uifGKmLP6njGlF5dT6H9M7RTOQPSv+FU7h3Gq2O7K2xXDkyTm/BFpI0zpJW5qk/qfSrP4uhM7EeSpyDTN7Pmz2ROjAr000PB2Cx6jJXIQRFdKjuFtduPHrh23BTWBmVaxLV78cOVyHqCsn6SPuXXaovKIfHrY+ 13241300x80000000000000001046244Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.localSuspicious PathSetValue2023-06-01 14:03:02.713{95766689-a4de-6478-7c57-171800000000}20424C:\Windows\System32\wscript.exeHKU\S-1-5-21-1001\SOFTWARE\Microsoft\Phone\victim\4N5mNUDdRYm2xm++Ici0mq6dvu9nCdn/r9sOycbduy6g+/EvlLtkrdaKHJneFkq2/49fG8u2m9VbzjVy1pdTv2dhmn5roiyctsI0ql6t72mQrrNLOj640Pw1E0drXTo7hkw4M4VUfzUt/2h3ujPVRO3LH6YPq2M+AVydl3Jc/Xg6W9icWDz7iTTkL5oYj6TJGc6zxNrtnDYuO1Ad93lR6M5y78Hy+6I3Frsb4SCLjGRsCt6jAisl9vD56epl5fXde8n6y4NBqm9rat+Eze2anuNOkarqX2syvhkbHiMMJo12FUrxI22e2s2n3JjlqsaM86pmUmvdDYyaZ8W7bNxI96WfQwlayUd6rds0S43i6a6+lX17ft60HJPsj3nblojUS7a2zTrmGa7a3kxPl9VwZWorki2Av3Y4RzHXNTDea+rewBXLuMqrkT1Bvkf/neGqZJyE0VoMOa/B7vR5XeNsOTdwpgpOEyjTROPLjiFP5vgU5FohURs2tFTOK7SWhPz/1einOOy8n+nD+yY3I0tvXI686P9iArHjth7Cf6XJ4xitNZqWo0cVz57q+3Q1HdbeFv1l/XwsmLdNur230TdIjZ7lwWB9ffb1uV05Lk6MOCNouTlzyqRUtK7b7SlxX2aAPEjA7VaUDm2tXJXBdkrifVYsWQZ2acGXa8SzD7uBhiOcD5GieYc5Ye2dg3umR+a4sdiUYNz+tJ1NoVhfXIy9Q7bHaw1mYceTi/8Xx6NbkM9Nd83RUPIx/0VFzouxFzLqx6hvdXeL/F9stRV1tw52U4qjSV3m+emvv3o10RHavT48j612Qu2ror6fLKcJh6tpeXYg/ 13241300x80000000000000001046243Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.localSuspicious PathSetValue2023-06-01 14:03:02.098{95766689-a4de-6478-7c57-171800000000}20424C:\Windows\System32\wscript.exeHKU\S-1-5-21-1001\SOFTWARE\Microsoft\Phone\victim\3xvVZ9ethdqUg+pMLr6Sde9uY2JynHdt8anTZZiPedd0XC5I8H/v38z+Dn4KrVoTBXu/drWc+ZzBhNJ9bMWi5G3vDBH/qKPbYWh91ooJ8lb/9IHpHRWSstuypW9n5ymlu6FB+SKsiW1VXYi+7HdbZ3Y5VZjXePOloK+6uZ7qrk/mjNNuvdvpKEVtQWz/eEq1vj+Wo/S42ef6rqy42ZCMaNE8csOzrMLq7oDh+7ZDueLdirvZVcfb7hj/t+NfOizVJmVdf5cLtWsQ2Soqr6JjPKH8b4suRbzLIzfqSeGVp6f9thxUvvtmp1nLI9Wj6mk92g6OvLx8HT/CW7CeQhu5uEV0KPAdJR13x+pEXyyvHl3tiV6/le9ii9nE6Fnw0NDb+5Tr+vNH/maW5D20Cux086r0cC/Pai+9hf1LIvP17r8L4mr7+157WP8wH6IdervuPIXWzXuLgr3l++rSX5P9BCmdO4r67Vxhr6Dmerb+790//6IxF4f/Pt9RbMb5Dd/vr5uRiY3jY4t32ZMwSkDZkPoacW/uAZ4GVdrPqtmT8LtMFKW3af/dXzE97jrsbf9WPif854PuOvWib27ctA7xHOt2c73/XFYLtzMTQDLTAf+ZNeWW37ckXGHuPz39CD/IfxyY6pGIOV3lXxnj6ZC1mbGtbjh+Pbdc6cartZsNFCI7Py8XDWk9NW+Bi22eBSyfZieS/qZOuq18m0PeQtXewuL7w+rTnTVDuV051IidQLpZbrxfzkKD3kcphu5ON4snX9TpCOr8rc0ZO+r3fdUhsMzta5GBYzd+fLm6PtnOQ0WmVgU/qFfjrG4iznu+ONVE3zQce6TUeLIrL6unzzLc3YfqysOnIv58l6MZx2lHyluOGycz1NknuycKOzVN6Xe1ACt0ueStuhKaeHuZa348N6wiXtfNN2nI/ 13241300x80000000000000001046242Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.localSuspicious PathSetValue2023-06-01 14:03:01.759{95766689-a4de-6478-7c57-171800000000}20424C:\Windows\System32\wscript.exeHKU\S-1-5-21-1001\SOFTWARE\Microsoft\Phone\victim\2IRRpeg5z+v036ZzzWXYOjjfvnP38y5f/98vOPafn/zSO/tnOv/yvL//x79+kW3S0bs1ttWDZLsyCD0/4mxrZFs7gt1V88/Kff/qf//OnX37/z86/fhsnhXXLfv5pVWf5OfjtdLv99MuX//0Ldriu4/PPP2menUZZdMl/23lhl/ltQ0avk8FrdOw//dLMzIktmMcfTxJbpc/8/BP8OQfa8JSGP/365Xfs7/d//evL//MazbIIcy84/yaH+TmN4tU5LT37nP02tcLT7bw8X+CxnzJYs9D56RcYRHrOizT88hwLPFdG1/PP/xEWt9uv0O7vf7fdf/2sn6sncf/uQz+/PwR3zfP0l18bnvg75NAI39DmYDrfjf6NuX6Bf98x2C///N8/YtXT+XZ2rPz87xzo+8ar//zHP34nf55hPj/Po8wjz/3Xl/avXzQYhJVHaY3LuU6L8y//+lwf2u3zyezXP2yo83yqeYYuDx3Hf335fRt5p3/98x+//LPhHrz+72Ph3U7nFH//Y2kQzxcvPIt1aAWe/WT4n3+0ZufL7Uzo8dvzNh3G+fNPzQ/nk9hQ5yck6O/fPzYOvPz17IgOjrdh3TMYFbDEL18Phq7hzz/JoXYOgH70O7Dpf1xAzM7PuxvRqp+943fkZeFmZdmvX+YFyLn965fV2bqdT79+4cPMa37iizwif/70OVytuOWebWX5s7l//fIDkjZdC1EIElPYsLpAhvUqPtuedUOq/Ppl6p3Oo3rlOc8h/PRDmgjW7QYiBy2VsCZwBWmxypFn0tOv3/LHL7+tzrkcxLdzAHcTLTS5WQ7onEaiCLtZzvn0058M+yknVCiQVk8ivQ0aGGB1i/Jfv2y9NAe99tOv3zHef294X6uYr4YppOdmIX8mgihfQKFTLQDUybwHKONz8oX7BUXw91GdoyyRZmw0N//1IjQha5rDQ5M0CkZWdmZ7K6Ljfv4pGxgP/H8MYer7Q5pkB1DOnCjXmm+ 13241300x80000000000000001046241Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.localSuspicious PathSetValue2023-06-01 14:03:01.265{95766689-a4de-6478-7c57-171800000000}20424C:\Windows\System32\wscript.exeHKU\S-1-5-21-1001\SOFTWARE\Microsoft\Phone\victim\1H4sIAAAAAAAAANy9Wa/qyLIu+rzWr5gPW6oqUbsGGDDmSFu6xgZj3NGDqbO0ZAy4Afcd5tzz329EpmEwm2qOts7LndIUA2NnExnNF5ER6dU5/89Vnnp2rkWn85f/3J7TzIvCL8w//3kpQjvHv/GPfzvn/N9xGtn/tk6n9JxlX/7XP/8xt1Ir+PLzf5RW+u8gOhW3869fyBe88Xwq0vMv//jHP/9BLhVhZl3O/w6t3CvP/w7OuRudsi//9eXn3/k4FqPA8sJ//Y// 11241100x80000000000000001046240Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.localT10532023-06-01 14:03:00.619{95766689-a4de-6478-7c57-171800000000}20424C:\Windows\System32\wscript.exeC:\Users\VICTIM\AppData\Roaming\com.adobe.dunamis\PROOFORMACE NEGOTIATION.JS2023-06-01 14:03:26.619 154100x80000000000000001046239Microsoft-Windows-Sysmon/Operationalvictim_pc.attack_range.local-2023-06-01 14:02:06.506{95766689-a4de-6478-7c57-171800000000}20424C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\VICTIM\AppData\Local\Temp\1\Temp1_Can_you_cancel_ideal_image_contract_95756.zip\can you cancel ideal image contract 79426.js" C:\WINDOWS\system32\ATTACK_RANGE\VICTIM{95766689-d58b-6474-c31b-0e0000000000}0xe1bc31MediumMD5=A47CBE969EA935BDD3AB568BB126BC80,SHA256=34008E2057DF8842DF210246995385A0441DC1E081D60AD15BD481E062E7F100,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C{95766689-d58d-6474-ff50-0f0000000000}9444C:\Windows\explorer.exeC:\WINDOWS\Explorer.EXE